Negative SubACK Causes Out-of-Bounds Memory Access in Mosquitto Subscribers
CVE-2024-10525

7.2HIGH

Key Information:

Vendor: Eclipse Foundation
Status: Mosquitto
Vendor: CVE Published:; 30 October 2024

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2024-10525?

Eclipse Mosquitto clients, specifically those utilizing libmosquitto, are susceptible to an out of bounds memory access when a malicious broker transmits a crafted SUBACK packet devoid of reason codes. This vulnerability targets the mosquitto_sub and mosquitto_rr clients, posing a risk to data integrity and stability during subscription confirmations. It is crucial for users running versions 1.3.2 through 2.0.18 to upgrade to the latest version to mitigate potential exploitation risks.

Affected Version(s)

mosquitto 1.3.2 <= 2.0.18

References

https://gitlab.eclipse.org/security/vulnerability-reports...

https://mosquitto.org/blog/2024/10/version-2-0-19-released/

https://github.com/eclipse-mosquitto/mosquitto/commit/8ab...

EPSS Score

17% chance of being exploited in the next 30 days.

CVSS V4

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2024
Vulnerability Reserved
Oct 30, 2024

Credit

Qingpeng Du

JSON