Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-11779

In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.

Published

2019-09-19T14:15:10.573

Last Modified

2024-11-21T04:21:46.603

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-754
Type: Primary
CWE-674

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	eclipse	mosquitto	< 1.5.9	Yes
Application	eclipse	mosquitto	< 1.6.6	Yes
Operating System	canonical	ubuntu_linux	19.04	Yes
Application	opensuse	backports_sle	15.0	Yes
Operating System	opensuse	leap	15.1	Yes
Operating System	fedoraproject	fedora	29	Yes
Operating System	fedoraproject	fedora	30	Yes
Operating System	fedoraproject	fedora	31	Yes
Operating System	debian	debian_linux	8.0	Yes
Operating System	debian	debian_linux	10.0	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00077.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00008.html Mailing List, Third Party Advisory ([email protected])
https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160 Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4WMHIM64Q35NGTR6R3ILZUL4MA4ANB5/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFWQBNFTAVHPUYNGYO2TCPF5PCSWC2Z7/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWNVTFA2CKXERXRYPYE2YFTZP4GNBGYY/ ([email protected])
https://seclists.org/bugtraq/2019/Nov/25 Mailing List, Third Party Advisory ([email protected])
https://usn.ubuntu.com/4137-1/ Third Party Advisory ([email protected])
https://www.debian.org/security/2019/dsa-4570 Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00077.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00008.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4WMHIM64Q35NGTR6R3ILZUL4MA4ANB5/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFWQBNFTAVHPUYNGYO2TCPF5PCSWC2Z7/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWNVTFA2CKXERXRYPYE2YFTZP4GNBGYY/ (af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2019/Nov/25 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4137-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2019/dsa-4570 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)