CVE-2023-3592
published 2023-10-02CVE-2023-3592: In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
PriorityP434high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.68%
47.6th percentile
In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mosquitto | < mosquitto 2.0.11-1.2+deb12u1 (bookworm) | mosquitto 2.0.11-1.2+deb12u1 (bookworm) |
| eclipse | mosquitto | < 2.0.16 | 2.0.16 |
| eclipse | mosquitto | >= 0 < 2.0.11-1+deb11u1 | 2.0.11-1+deb11u1 |
| eclipse | mosquitto | >= 0 < 2.0.11-1.2+deb12u1 | 2.0.11-1.2+deb12u1 |
| eclipse | mosquitto | >= 0 < 2.0.17-1 | 2.0.17-1 |
| eclipse | mosquitto | >= 0 < 2.0.17-1 | 2.0.17-1 |
| eclipse | mosquitto | >= 0 < 2.0.11-1ubuntu1.1 | 2.0.11-1ubuntu1.1 |
| eclipse | mosquitto | >= 0 < 1.6.9-1ubuntu0.1~esm1 | 1.6.9-1ubuntu0.1~esm1 |
| msrc | cbl2_libtiff_4.4.0-8_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_libtiff_4.5.0-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_redhat6.8MEDIUM
vendor_ubuntu6.5MEDIUM
vendor_debian5.8MEDIUM
vendor_msrc5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Mosquitto vulnerabilities
vendor_ubuntu·2023-11-21·CVSS 6.5
CVE-2023-0809 [MEDIUM] Mosquitto vulnerabilities
Title: Mosquitto vulnerabilities
Summary: Several security issues were fixed in Mosquitto.
Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain
inputs. If a user or an automated system were provided with a specially crafted
input, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-34431)
Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. If
a user or an automated system were provided with a specially crafted input, a
remote attacker could possibly use this issue to cause an authorisation bypass.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2021-34434)
Zhanxiang Song, Bin Yuan, DeQing Zou, and Hai Jin discovered that Mosquitto
incorrectly han
Red Hat
mosquitto: memory leak leads to unresponsive broker
vendor_redhat·2023-09-01·CVSS 5.8
CVE-2023-3592 [MEDIUM] CWE-401 mosquitto: memory leak leads to unresponsive broker
mosquitto: memory leak leads to unresponsive broker
In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
A memory leak vulnerability was found in Eclipse Mosquitto. This issue is triggered by malicious initial packets or certain client actions and may allow a remote attacker to the deplete system resources causing memory exhaustion, leading to a disruption in services and a denial of service condition.
Package: mosquitto (Red Hat build of Apache Camel for Spring Boot 3) - Not affected
Package: mosquitto (Red Hat Integration Camel K 1) - Not affected
Microsoft
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592 allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources the fi
vendor_msrc·2023-02-14·CVSS 5.5
CVE-2023-0796 [MEDIUM] CWE-125 LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592 allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources the fi
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592 allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources the fix is available with commit afaabc3e.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional produc
Red Hat
libtiff: out-of-bounds read in extractContigSamplesShifted24bits() in tools/tiffcrop.c
vendor_redhat·2023-02-12·CVSS 6.8
CVE-2023-0796 [MEDIUM] CWE-125 libtiff: out-of-bounds read in extractContigSamplesShifted24bits() in tools/tiffcrop.c
libtiff: out-of-bounds read in extractContigSamplesShifted24bits() in tools/tiffcrop.c
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractContigSamplesShifted24bits function in tools/tiffcrop.c, resulting in a Denial of Service and limited information disclosure.
Package: libtiff (Red Hat Enterprise Linux 6) - Out of support scope
Package: compat-libtiff3 (Red Hat Enterprise Linux 7) - Out of support scope
Package: libtiff (Red Hat Enterprise Linux
Debian
CVE-2023-3592: mosquitto - In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT pa...
vendor_debian·2023·CVSS 5.8
CVE-2023-3592 [MEDIUM] CVE-2023-3592: mosquitto - In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT pa...
In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
Scope: local
bookworm: resolved (fixed in 2.0.11-1.2+deb12u1)
bullseye: resolved (fixed in 2.0.11-1+deb11u1)
forky: resolved (fixed in 2.0.17-1)
sid: resolved (fixed in 2.0.17-1)
trixie: resolved (fixed in 2.0.17-1)
OSV
mosquitto vulnerabilities
osv·2023-11-21·CVSS 6.5
CVE-2021-34431 [MEDIUM] mosquitto vulnerabilities
mosquitto vulnerabilities
Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain
inputs. If a user or an automated system were provided with a specially crafted
input, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-34431)
Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. If
a user or an automated system were provided with a specially crafted input, a
remote attacker could possibly use this issue to cause an authorisation bypass.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2021-34434)
Zhanxiang Song, Bin Yuan, DeQing Zou, and Hai Jin discovered that Mosquitto
incorrectly handled certain inputs. If a user or an automated system were
provide
GHSA
GHSA-p7q8-377q-px25: In Mosquitto before 2
ghsa_unreviewed·2023-10-02
CVE-2023-3592 [HIGH] CWE-401 GHSA-p7q8-377q-px25: In Mosquitto before 2
In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
OSV
CVE-2023-3592: In Mosquitto before 2
osv·2023-10-02·CVSS 7.5
CVE-2023-3592 [HIGH] CVE-2023-3592: In Mosquitto before 2
In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-10-02
Published