CVE-2019-11778 — Use After Free in Mosquitto

CWE-416 — Use After Free5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 42.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Mosquitto THE Eclipse Foundation Eclipse Mosquitto

Timeline

PublishedSep 18

Latest updateMay 24

Description

If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶NVDeclipse/mosquitto1.6 — 1.6.5

▶Debianeclipse/mosquitto< 1.6.6-1+3

▶CVEListV5the_eclipse_foundation/eclipse_mosquitto1.6.0 to 1.6.4

🔴Vulnerability Details

GHSA

GHSA-rr62-j9x2-468p: If an MQTT v5 client connects to Eclipse Mosquitto versions 1↗2022-05-24

▶

OSV

CVE-2019-11778: If an MQTT v5 client connects to Eclipse Mosquitto versions 1↗2019-09-18

▶

CVEList

CVE-2019-11778: If an MQTT v5 client connects to Eclipse Mosquitto versions 1↗2019-09-18

▶

📋Vendor Advisories

Debian

CVE-2019-11778: mosquitto - If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclu...↗2019

▶