CVE-2023-5632

In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d	Patch
https://github.com/eclipse/mosquitto/pull/2053	Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-10-18 09:15

Updated : 2023-10-25 17:32

NVD link : CVE-2023-5632

Mitre link : CVE-2023-5632

CVE.ORG link : CVE-2023-5632

JSON object : View

Products Affected

eclipse

mosquitto

CWE

CWE-834

Excessive Iteration

{"id": "CVE-2023-5632", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "emo@eclipse.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-18T09:15:10.080", "references": [{"url": "https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d", "tags": ["Patch"], "source": "emo@eclipse.org"}, {"url": "https://github.com/eclipse/mosquitto/pull/2053", "tags": ["Issue Tracking"], "source": "emo@eclipse.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-834"}]}, {"type": "Secondary", "source": "emo@eclipse.org", "description": [{"lang": "en", "value": "CWE-834"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6\n\n\n"}, {"lang": "es", "value": "En Eclipse Mosquito anterior a 2.0.5 incluida, establecer una conexi\u00f3n con el servidor mosquitto sin enviar datos provoca que se agregue el evento EPOLLOUT, lo que resulta en un consumo excesivo de CPU. Esto podr\u00eda ser utilizado por un actor malintencionado para realizar un ataque de tipo de denegaci\u00f3n de servicio. Este problema se solucion\u00f3 en 2.0.6."}], "lastModified": "2023-10-25T17:32:13.007", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9ACA0BE-573B-4295-9390-F88687C64298", "versionEndExcluding": "2.0.6"}], "operator": "OR"}]}], "sourceIdentifier": "emo@eclipse.org"}

7.5 /10