{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5632", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2023-10-18T08:17:55.102Z", "datePublished": "2023-10-18T08:34:34.788Z", "dateUpdated": "2024-09-13T14:50:24.704Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mosquitto", "programFiles": ["https://github.com/eclipse/mosquitto/blob/master/lib/packet_mosq.c"], "repo": "https://github.com/eclipse/mosquitto", "vendor": "Eclipse", "versions": [{"lessThanOrEqual": "2.0.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Przemys\u0142aw Zygmunt (acsoftware.pl)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6<br></div>"}], "value": "In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6\n\n\n"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-834", "description": "CWE-834 Excessive Iteration", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2023-10-18T08:34:34.788Z"}, "references": [{"tags": ["patch", "issue-tracking"], "url": "https://github.com/eclipse/mosquitto/pull/2053"}, {"tags": ["patch"], "url": "https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d"}], "source": {"discovery": "UNKNOWN"}, "title": "Unconditionally adding an event to the epoll causes excessive CPU consumption", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:07:32.289Z"}, "title": "CVE Program Container", "references": [{"tags": ["patch", "issue-tracking", "x_transferred"], "url": "https://github.com/eclipse/mosquitto/pull/2053"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-13T14:50:16.055664Z", "id": "CVE-2023-5632", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-13T14:50:24.704Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/eclipse/mosquitto/pull/2053", "tags": ["patch", "issue-tracking", "x_transferred"]}, {"url": "https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d", "tags": ["patch", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:07:32.289Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-5632", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-13T14:50:16.055664Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-13T14:50:20.575Z"}}], "cna": {"title": "Unconditionally adding an event to the epoll causes excessive CPU consumption", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Przemys\u0142aw Zygmunt (acsoftware.pl)"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/eclipse/mosquitto", "vendor": "Eclipse", "product": "Mosquitto", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.5"}], "programFiles": ["https://github.com/eclipse/mosquitto/blob/master/lib/packet_mosq.c"], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/eclipse/mosquitto/pull/2053", "tags": ["patch", "issue-tracking"]}, {"url": "https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6\n\n\n", "supportingMedia": [{"type": "text/html", "value": "<div>In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6<br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-834", "description": "CWE-834 Excessive Iteration"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2023-10-18T08:34:34.788Z"}}}, "cveMetadata": {"cveId": "CVE-2023-5632", "state": "PUBLISHED", "dateUpdated": "2024-09-13T14:50:24.704Z", "dateReserved": "2023-10-18T08:17:55.102Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2023-10-18T08:34:34.788Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9ACA0BE-573B-4295-9390-F88687C64298", "versionEndExcluding": "2.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6\n\n\n"}, {"lang": "es", "value": "En Eclipse Mosquito anterior a 2.0.5 incluida, establecer una conexi\u00f3n con el servidor mosquitto sin enviar datos provoca que se agregue el evento EPOLLOUT, lo que resulta en un consumo excesivo de CPU. Esto podr\u00eda ser utilizado por un actor malintencionado para realizar un ataque de tipo de denegaci\u00f3n de servicio. Este problema se solucion\u00f3 en 2.0.6."}], "id": "CVE-2023-5632", "lastModified": "2023-10-25T17:32:13.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2023-10-18T09:15:10.080", "references": [{"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d"}, {"source": "emo@eclipse.org", "tags": ["Issue Tracking"], "url": "https://github.com/eclipse/mosquitto/pull/2053"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-834"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-834"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Mosquitto: Possible Denial of Service due to excessive CPE consumption", "id": "2244840", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2244840"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6", "A denial of service vulnerability was found in Eclipse Mosquitto. Establishing a connection to the Mosquitto server without sending data could lead to excessive CPU consumption and a denial of service."], "name": "CVE-2023-5632", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "mosquitto", "product_name": "Red Hat build of Apache Camel for Spring Boot"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "mosquitto", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "mosquitto", "product_name": "Red Hat Satellite 6"}], "public_date": "2023-10-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-5632\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5632\nhttps://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d\nhttps://github.com/eclipse/mosquitto/pull/2053"], "threat_severity": "Moderate", "upstream_fix": "mosquitto 2.0.6"}