CVE-2019-11779: In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or…

medium6.5CVSS 3.1

AVNACLPRLUINSUCNINAH

In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.

Affected

16 ranges

Vendor	Product	Version range	Fixed in
canonical	ubuntu_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	mosquitto	< mosquitto 1.6.6-1 (bookworm)	mosquitto 1.6.6-1 (bookworm)
eclipse	mosquitto	>= 0 < 1.6.6-1	1.6.6-1
eclipse	mosquitto	>= 0 < 1.6.6-1	1.6.6-1
eclipse	mosquitto	>= 0 < 1.6.6-1	1.6.6-1
eclipse	mosquitto	>= 0 < 1.6.6-1	1.6.6-1
eclipse	mosquitto	>= 1.5 < 1.5.9	1.5.9
eclipse	mosquitto	>= 1.6 < 1.6.6	1.6.6
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
opensuse	backports_sle	—	—
opensuse	leap	—	—
the_eclipse_foundation	eclipse_mosquitto	—	—

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

osv6.5MEDIUM