CVE-2017-7654Missing Release of Memory after Effective Lifetime in Eclipse Foundation Eclipse Mosquitto

CWE-401Missing Release of Memory after Effective LifetimeCWE-772Missing Release of Resource after Effective Lifetime9 documents7 sources
Severity
7.5HIGHNVD
EPSS
1.4%
top 19.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Eclipse MosquittoTHE Eclipse Foundation Eclipse MosquittoDebian Linux
Timeline
PublishedJun 5
Latest updateMay 13

Description

In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5the_eclipse_foundation/eclipse_mosquittounspecified1.4.15
Debianeclipse/mosquitto< 1.5.4-1+3
NVDeclipse/mosquitto1.4.15

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: bugs.eclipse.orgPatch: bugs.eclipse.org

🔴Vulnerability Details

3
GHSA
GHSA-gp2q-hhpv-54m6: In Eclipse Mosquitto 12022-05-13
CVEList
CVE-2017-7654: In Eclipse Mosquitto 12018-06-05
OSV
CVE-2017-7654: In Eclipse Mosquitto 12018-06-05

📋Vendor Advisories

2
Ubuntu
Mosquitto vulnerabilities2019-06-20
Debian
CVE-2017-7654: mosquitto - In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found w...2017

💬Community

3
Bugzilla
CVE-2017-7654 mosquitto: Memory leak allows unauthenticated clients to send crafted CONNECT packets causing a denial of service2018-06-08
Bugzilla
CVE-2017-7654 mosquitto: Memory leak allows unauthenticated clients to send crafted CONNECT packets causing a denial of service [fedora-all]2018-06-08
Bugzilla
CVE-2017-7654 mosquitto: Memory leak allows unauthenticated clients to send crafted CONNECT packets causing a denial of service [epel-7]2018-06-08
CVE-2017-7654 — HIGH severity | cvebase