CVE-2017-7651 — Memory Allocation with Excessive Size Value in Mosquitto

CWE-789 — Memory Allocation with Excessive Size Value CWE-400 — Uncontrolled Resource Consumption9 documents6 sources

Severity

7.5HIGHNVD

EPSS

23.2%

top 4.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Mosquitto THE Eclipse Foundation Eclipse Mosquitto Debian Linux

Timeline

PublishedApr 24

Latest updateMay 13

Description

In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Debianeclipse/mosquitto< 1.4.15-1+3

▶NVDeclipse/mosquitto1.4.14

▶CVEListV5the_eclipse_foundation/eclipse_mosquitto1.4.14

Also affects: Debian Linux 7.0, 8.0, 9.0

Patches

Patch: mosquitto.org ↗Patch: mosquitto.org ↗

🔴Vulnerability Details

GHSA

GHSA-5jfw-q283-hm73: In Eclipse Mosquitto 1↗2022-05-13

▶

CVEList

CVE-2017-7651: In Eclipse Mosquitto 1↗2018-04-24

▶

OSV

CVE-2017-7651: In Eclipse Mosquitto 1↗2018-04-24

▶

📋Vendor Advisories

Debian

CVE-2017-7651: mosquitto - In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by ...↗2017

▶

💬Community

Bugzilla

CVE-2017-7651 mosquitto: memory exhaustion through multiple crafted CONNECT packets [epel-7]↗2018-03-05

▶

Bugzilla

CVE-2017-7651 mosquitto: memory exhaustion through multiple crafted CONNECT packets [fedora-all]↗2018-03-05

▶

Bugzilla

CVE-2017-7651 mosquitto: memory exhaustion through multiple crafted CONNECT packets↗2018-03-05

▶

Bugzilla

CVE-2017-7652 mosquitto: configuration reload fails when no free sockets/file descriptors are available↗2018-03-05

▶