CVE-2023-5632
published 2023-10-18CVE-2023-5632: In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.69%
48.1th percentile
In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mosquitto | < mosquitto 2.0.7-1 (bookworm) | mosquitto 2.0.7-1 (bookworm) |
| eclipse | mosquitto | <= 2.0.5 | — |
| eclipse | mosquitto | — | — |
| eclipse | mosquitto | >= 0 < 2.0.7-1 | 2.0.7-1 |
| eclipse | mosquitto | >= 0 < 2.0.7-1 | 2.0.7-1 |
| eclipse | mosquitto | >= 0 < 2.0.7-1 | 2.0.7-1 |
| eclipse | mosquitto | >= 0 < 2.0.7-1 | 2.0.7-1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4jhw-x435-x5f7: In Eclipse Mosquito before and including 2
ghsa_unreviewed·2023-10-18
CVE-2023-5632 [HIGH] CWE-834 GHSA-4jhw-x435-x5f7: In Eclipse Mosquito before and including 2
In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6
OSV
CVE-2023-5632: In Eclipse Mosquito before and including 2
osv·2023-10-18·CVSS 7.5
CVE-2023-5632 [HIGH] CVE-2023-5632: In Eclipse Mosquito before and including 2
In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6
Red Hat
Mosquitto: Possible Denial of Service due to excessive CPE consumption
vendor_redhat·2023-10-18·CVSS 7.5
CVE-2023-5632 [HIGH] Mosquitto: Possible Denial of Service due to excessive CPE consumption
Mosquitto: Possible Denial of Service due to excessive CPE consumption
In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6
A denial of service vulnerability was found in Eclipse Mosquitto. Establishing a connection to the Mosquitto server without sending data could lead to excessive CPU consumption and a denial of service.
Package: mosquitto (Red Hat build of Apache Camel for Spring Boot 3) - Not affected
Package: mosquitto (Red Hat Integration Camel K 1) - Not affected
Package: mosquitto (Red Hat Satellite 6) - Not affected
Debian
CVE-2023-5632: mosquitto - In Eclipse Mosquito before and including 2.0.5, establishing a connection to the...
vendor_debian·2023·CVSS 7.5
CVE-2023-5632 [HIGH] CVE-2023-5632: mosquitto - In Eclipse Mosquito before and including 2.0.5, establishing a connection to the...
In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6
Scope: local
bookworm: resolved (fixed in 2.0.7-1)
bullseye: resolved (fixed in 2.0.7-1)
forky: resolved (fixed in 2.0.7-1)
sid: resolved (fixed in 2.0.7-1)
trixie: resolved (fixed in 2.0.7-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-10-18
Published