Stack Overflow Vulnerability in Eclipse Mosquitto MQTT Broker
CVE-2019-11779

6.5MEDIUM

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Mosquitto
Vendor: CVE Published:; 19 September 2019

What is CVE-2019-11779?

In versions 1.5.0 to 1.6.5 of Eclipse Mosquitto, a stack overflow can occur if a malicious MQTT client sends a SUBSCRIBE packet featuring an excessively long topic consisting of around 65400 or more '/' characters. This improper input handling can lead to unexpected behavior in the MQTT broker, potentially allowing an attacker to disrupt service or exploit additional vulnerabilities.

Affected Version(s)

Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160

x_refsource_CONFIRM

https://usn.ubuntu.com/4137-1/

vendor-advisoryx_refsource_UBUNTU

http://lists.opensuse.org/opensuse-security-announce/2019...

vendor-advisoryx_refsource_SUSE

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 19, 2019
Vulnerability Reserved
May 6, 2019

The Eclipse Foundation

What is CVE-2019-11779?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline