CVE-2024-8376
published 2024-10-11CVE-2024-8376: In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.75%
50.2th percentile
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mosquitto | < mosquitto 2.0.11-1.2+deb12u2 (bookworm) | mosquitto 2.0.11-1.2+deb12u2 (bookworm) |
| eclipse | mosquitto | < 2.0.19 | 2.0.19 |
| eclipse | mosquitto | >= 0 < 2.0.11-1.2+deb12u2 | 2.0.11-1.2+deb12u2 |
| eclipse | mosquitto | >= 0 < 2.0.20-1 | 2.0.20-1 |
| eclipse | mosquitto | >= 0 < 2.0.20-1 | 2.0.20-1 |
| eclipse_foundation | mosquitto | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.07.2HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.2HIGH
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-72qw-2vp3-gvg9: In Eclipse Mosquitto up to version 2
ghsa_unreviewed·2024-10-11
CVE-2024-8376 [HIGH] CWE-401 GHSA-72qw-2vp3-gvg9: In Eclipse Mosquitto up to version 2
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
OSV
CVE-2024-8376: In Eclipse Mosquitto up to version 2
osv·2024-10-11·CVSS 7.2
CVE-2024-8376 [HIGH] CVE-2024-8376: In Eclipse Mosquitto up to version 2
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
Red Hat
mosquitto: sending specific sequences of packets may trigger memory leak
vendor_redhat·2024-10-11·CVSS 7.2
CVE-2024-8376 [HIGH] CWE-401 mosquitto: sending specific sequences of packets may trigger memory leak
mosquitto: sending specific sequences of packets may trigger memory leak
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
A flaw was found in Eclipse Mosquitto. A remote attacker may be able to trigger memory leakage, segmentation fault, or a heap-use-after-free condition by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE", and "PUBLISH" packets.
Package: satellite-capsule:el8/mosquitto (Red Hat Satellite 6) - Affected
Package: satellite:el8/mosquitto (Red Hat Satellite 6) - Affected
Debian
CVE-2024-8376: mosquitto - In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaki...
vendor_debian·2024·CVSS 7.2
CVE-2024-8376 [HIGH] CVE-2024-8376: mosquitto - In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaki...
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
Scope: local
bookworm: resolved (fixed in 2.0.11-1.2+deb12u2)
bullseye: open
forky: resolved (fixed in 2.0.20-1)
sid: resolved (fixed in 2.0.20-1)
trixie: resolved (fixed in 2.0.20-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17https://github.com/eclipse/mosquitto/releases/tag/v2.0.19https://gitlab.eclipse.org/security/cve-assignement/-/issues/26https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/216https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/217https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/218https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/227https://mosquitto.org/
2024-10-11
Published