Denial of Service Vulnerability in Eclipse Mosquitto Broker
CVE-2017-7653

5.3MEDIUM

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Mosquitto
Vendor: CVE Published:; 5 June 2018

What is CVE-2017-7653?

The Eclipse Mosquitto broker prior to version 1.4.15 allows a malicious client to exploit improper handling of non-UTF-8 strings. By sending an invalid topic string, such a client can cause other clients that adhere to UTF-8 verification to disconnect from the broker. This leads to a denial of service condition for those clients, potentially affecting the overall performance and reliability of applications relying on the broker for message distribution. Implementing strict validation for string formats is essential to mitigate this risk.

Affected Version(s)

Eclipse Mosquitto <= 1.4.15

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=532113

x_refsource_CONFIRM

http://docs.oasis-open.org/mqtt/disallowed-chars/v1.0/dis...

x_refsource_MISC

https://lists.debian.org/debian-lts-announce/2018/09/msg0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 5, 2018
Vulnerability Reserved
Apr 11, 2017

The Eclipse Foundation

What is CVE-2017-7653?

Affected Version(s)

References

CVSS V3.1

Timeline