{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2023-0809", "state": "PUBLISHED", "dateUpdated": "2024-08-02T05:24:34.509Z", "datePublished": "2023-10-02T18:56:26.824Z", "dateReserved": "2023-02-13T14:04:10.012Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mosquitto", "vendor": "Eclipse", "versions": [{"lessThan": "2.0.16", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets."}], "value": "In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "description": "CWE-789", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2023-10-02T19:02:43.389Z", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse"}, "references": [{"url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released/"}, {"url": "https://security.gentoo.org/glsa/202401-09"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "SecretariatVulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:24:34.509Z"}, "title": "CVE Program Container", "references": [{"url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202401-09", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*", "matchCriteriaId": "C744F41F-1469-4455-8C1C-B06373070721", "versionEndExcluding": "2.0.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets."}, {"lang": "es", "value": "En Mosquitto anterior a 2.0.16, el exceso de memoria se asigna en funci\u00f3n de paquetes iniciales maliciosos que no son paquetes CONNECT."}], "id": "CVE-2023-0809", "lastModified": "2024-01-07T10:15:08.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2023-10-02T19:15:09.717", "references": [{"source": "emo@eclipse.org", "tags": ["Release Notes"], "url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released/"}, {"source": "emo@eclipse.org", "url": "https://security.gentoo.org/glsa/202401-09"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-789"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1061", "cpe": "cpe:/a:redhat:satellite:6.13::el8", "package": "mosquitto-0:2.0.17-1.el8sat", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2024-02-29T00:00:00Z"}, {"advisory": "RHSA-2024:1061", "cpe": "cpe:/a:redhat:satellite_capsule:6.13::el8", "package": "mosquitto-0:2.0.17-1.el8sat", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2024-02-29T00:00:00Z"}, {"advisory": "RHSA-2024:0797", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "mosquitto-0:2.0.17-1.el8sat", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2024-02-13T00:00:00Z"}, {"advisory": "RHSA-2024:0797", "cpe": "cpe:/a:redhat:satellite_capsule:6.14::el8", "package": "mosquitto-0:2.0.17-1.el8sat", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2024-02-13T00:00:00Z"}], "bugzilla": {"description": "mosquitto: memory leak leads to unresponsive broker", "id": "2236882", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236882"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-401", "details": ["In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.", "A memory leak vulnerability was found in Eclipse Mosquitto. This issue is triggered by malicious initial packets or certain client actions and may allow a remote attacker to the deplete system resources causing memory exhaustion, leading to a disruption in services and a denial of service condition."], "name": "CVE-2023-0809", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "mosquitto", "product_name": "Red Hat build of Apache Camel for Spring Boot"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "mosquitto", "product_name": "Red Hat Integration Camel K"}], "public_date": "2023-09-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-0809\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0809\nhttps://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9"], "threat_severity": "Moderate", "upstream_fix": "mosquitto 2.0.16"}