Memory Leaking Vulnerability in Eclipse Mosquitto Up to 2.0.18a
CVE-2024-8376

7.5HIGH

Key Information:

Vendor: Eclipse Foundation
Status: Mosquitto
Vendor: CVE Published:; 11 October 2024

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2024-8376?

Eclipse Mosquitto versions up to 2.0.18a are susceptible to a vulnerability that allows attackers to exploit specific sequences of 'CONNECT', 'DISCONNECT', 'SUBSCRIBE', 'UNSUBSCRIBE', and 'PUBLISH' packets. This exploitation can lead to memory leaking, segmentation faults, or heap-use-after-free scenarios, potentially destabilizing the service and affecting the integrity of the system. It is crucial for users to apply the latest updates to mitigate these risks.

Affected Version(s)

Mosquitto 2.0.18

Mosquitto 2.0.19

References

https://gitlab.eclipse.org/security/vulnerability-reports...

issue-tracking

https://gitlab.eclipse.org/security/vulnerability-reports...

issue-tracking

https://gitlab.eclipse.org/security/vulnerability-reports...

issue-tracking

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 11, 2024
Vulnerability Reserved
Sep 2, 2024

Credit

Roman Kraus (Fraunhofer FOKUS)

Steffen Lüdtke (Fraunhofer FOKUS)

Martin Schneider (Fraunhofer FOKUS)

Ramon Barakat (Fraunhofer FOKUS)