CVE-2023-0809
published 2023-10-02CVE-2023-0809: In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
PriorityP425medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.61%
44.6th percentile
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mosquitto | < mosquitto 2.0.11-1.2+deb12u1 (bookworm) | mosquitto 2.0.11-1.2+deb12u1 (bookworm) |
| eclipse | mosquitto | < 2.0.16 | 2.0.16 |
| eclipse | mosquitto | >= 0 < 2.0.11-1+deb11u1 | 2.0.11-1+deb11u1 |
| eclipse | mosquitto | >= 0 < 2.0.11-1.2+deb12u1 | 2.0.11-1.2+deb12u1 |
| eclipse | mosquitto | >= 0 < 2.0.17-1 | 2.0.17-1 |
| eclipse | mosquitto | >= 0 < 2.0.17-1 | 2.0.17-1 |
| eclipse | mosquitto | >= 0 < 2.0.11-1ubuntu1.1 | 2.0.11-1ubuntu1.1 |
| eclipse | mosquitto | >= 0 < 1.6.9-1ubuntu0.1~esm1 | 1.6.9-1ubuntu0.1~esm1 |
| chrome_chrome | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv6.5MEDIUM
vendor_ubuntu6.5MEDIUM
vendor_debian5.8MEDIUM
vendor_redhat5.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
mosquitto vulnerabilities
osv·2023-11-21·CVSS 6.5
CVE-2021-34431 [MEDIUM] mosquitto vulnerabilities
mosquitto vulnerabilities
Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain
inputs. If a user or an automated system were provided with a specially crafted
input, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-34431)
Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. If
a user or an automated system were provided with a specially crafted input, a
remote attacker could possibly use this issue to cause an authorisation bypass.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2021-34434)
Zhanxiang Song, Bin Yuan, DeQing Zou, and Hai Jin discovered that Mosquitto
incorrectly handled certain inputs. If a user or an automated system were
provide
GHSA
GHSA-v9xr-r3xx-x9gc: In Mosquitto before 2
ghsa_unreviewed·2023-10-02
CVE-2023-0809 [MEDIUM] CWE-770 GHSA-v9xr-r3xx-x9gc: In Mosquitto before 2
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
OSV
CVE-2023-0809: In Mosquitto before 2
osv·2023-10-02·CVSS 5.3
CVE-2023-0809 [MEDIUM] CVE-2023-0809: In Mosquitto before 2
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2024-0809
vendor_chrome·2024-02-07·CVSS 4.3
CVE-2024-0809 [LOW] Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2024-0809
Stable Channel Update for ChromeOS / ChromeOS Flex
CVE-2024-0809: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-10-31 Users who are pinned to a specific release of ChromeOS will not receive these security fixes or any other security fixes
Severity: low
Chrome
Stable Channel Update for Desktop: CVE-2024-0811
vendor_chrome·2024-01-23·CVSS 4.3
CVE-2024-0811 [LOW] Stable Channel Update for Desktop: CVE-2024-0811
Stable Channel Update for Desktop
CVE-2024-0811: Inappropriate implementation in Extensions API. Reported by Jann Horn of Google Project Zero on 2023-10-21 [TBD][ 1497985 ] Low CVE-2024-0809: Inappropriate implementation in Autofill
Reported by Ahmed ElMasry on 2023-10-31 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel
Severity: low
Ubuntu
Mosquitto vulnerabilities
vendor_ubuntu·2023-11-21·CVSS 6.5
CVE-2023-0809 [MEDIUM] Mosquitto vulnerabilities
Title: Mosquitto vulnerabilities
Summary: Several security issues were fixed in Mosquitto.
Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain
inputs. If a user or an automated system were provided with a specially crafted
input, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-34431)
Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. If
a user or an automated system were provided with a specially crafted input, a
remote attacker could possibly use this issue to cause an authorisation bypass.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2021-34434)
Zhanxiang Song, Bin Yuan, DeQing Zou, and Hai Jin discovered that Mosquitto
incorrectly han
Red Hat
mosquitto: memory leak leads to unresponsive broker
vendor_redhat·2023-09-01·CVSS 5.8
CVE-2023-0809 [MEDIUM] CWE-401 mosquitto: memory leak leads to unresponsive broker
mosquitto: memory leak leads to unresponsive broker
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
A memory leak vulnerability was found in Eclipse Mosquitto. This issue is triggered by malicious initial packets or certain client actions and may allow a remote attacker to the deplete system resources causing memory exhaustion, leading to a disruption in services and a denial of service condition.
Package: mosquitto (Red Hat build of Apache Camel for Spring Boot 3) - Not affected
Package: mosquitto (Red Hat Integration Camel K 1) - Not affected
Debian
CVE-2023-0809: mosquitto - In Mosquitto before 2.0.16, excessive memory is allocated based on malicious ini...
vendor_debian·2023·CVSS 5.8
CVE-2023-0809 [MEDIUM] CVE-2023-0809: mosquitto - In Mosquitto before 2.0.16, excessive memory is allocated based on malicious ini...
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
Scope: local
bookworm: resolved (fixed in 2.0.11-1.2+deb12u1)
bullseye: resolved (fixed in 2.0.11-1+deb11u1)
forky: resolved (fixed in 2.0.17-1)
sid: resolved (fixed in 2.0.17-1)
trixie: resolved (fixed in 2.0.17-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-10-02
Published