Memory leaking in Eclipse Mosquitto

The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project.

Basic information

Project name: Eclipse Mosquitto

Project id: iot.mosquitto

Request type: publication

Versions affected: [TBD, 2.0.18a]

Common Weakness Enumeration:

• {CWE-401: Missing Release of Memory after Effective Lifetime}
• {CWE-416: Use After Free}
• {CWE-248: Uncaught Exception}

Common Vulnerability Scoring System: {CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/E:P}

Summary:

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

Credits:

• Roman Kraus (Fraunhofer FOKUS)
• Steffen Lüdtke (Fraunhofer FOKUS)
• Martin Schneider (Fraunhofer FOKUS)
• Ramon Barakat (Fraunhofer FOKUS)

Links:

• {primary resolution link}