{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2023-3592", "state": "PUBLISHED", "dateUpdated": "2024-08-02T07:01:56.716Z", "datePublished": "2023-10-02T19:01:54.842Z", "dateReserved": "2023-07-10T15:11:43.593Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mosquitto", "vendor": "Eclipse", "versions": [{"lessThan": "2.0.16", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.<br>"}], "value": "In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.\n"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2023-10-02T19:13:30.990Z", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse"}, "references": [{"url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released/"}, {"url": "https://security.gentoo.org/glsa/202401-09"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "SecretariatVulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:56.716Z"}, "title": "CVE Program Container", "references": [{"url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202401-09", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*", "matchCriteriaId": "C744F41F-1469-4455-8C1C-B06373070721", "versionEndExcluding": "2.0.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.\n"}, {"lang": "es", "value": "En Mosquitto anterior a 2.0.16, se produce una p\u00e9rdida de memoria cuando los clientes env\u00edan paquetes CONNECT v5 con un mensaje de voluntad que contiene tipos de propiedades no v\u00e1lidos."}], "id": "CVE-2023-3592", "lastModified": "2024-01-07T10:15:08.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2023-10-02T20:15:10.123", "references": [{"source": "emo@eclipse.org", "tags": ["Release Notes"], "url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released/"}, {"source": "emo@eclipse.org", "url": "https://security.gentoo.org/glsa/202401-09"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-401"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1061", "cpe": "cpe:/a:redhat:satellite:6.13::el8", "package": "mosquitto-0:2.0.17-1.el8sat", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2024-02-29T00:00:00Z"}, {"advisory": "RHSA-2024:1061", "cpe": "cpe:/a:redhat:satellite_capsule:6.13::el8", "package": "mosquitto-0:2.0.17-1.el8sat", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2024-02-29T00:00:00Z"}, {"advisory": "RHSA-2024:0797", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "mosquitto-0:2.0.17-1.el8sat", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2024-02-13T00:00:00Z"}, {"advisory": "RHSA-2024:0797", "cpe": "cpe:/a:redhat:satellite_capsule:6.14::el8", "package": "mosquitto-0:2.0.17-1.el8sat", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2024-02-13T00:00:00Z"}], "bugzilla": {"description": "mosquitto: memory leak leads to unresponsive broker", "id": "2236882", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236882"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-401", "details": ["In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.", "A memory leak vulnerability was found in Eclipse Mosquitto. This issue is triggered by malicious initial packets or certain client actions and may allow a remote attacker to the deplete system resources causing memory exhaustion, leading to a disruption in services and a denial of service condition."], "name": "CVE-2023-3592", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "mosquitto", "product_name": "Red Hat build of Apache Camel for Spring Boot"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "mosquitto", "product_name": "Red Hat Integration Camel K"}], "public_date": "2023-09-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-3592\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3592\nhttps://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9"], "threat_severity": "Moderate", "upstream_fix": "mosquitto 2.0.16"}