CVE-2024-8376
Memory leak
Severity Score
7.2
*CVSS v4
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
A flaw was found in Eclipse Mosquitto. A remote attacker may be able to trigger memory leakage, segmentation fault, or a heap-use-after-free condition by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE", and "PUBLISH" packets.
*Credits:
Roman Kraus (Fraunhofer FOKUS), Steffen Lüdtke (Fraunhofer FOKUS), Martin Schneider (Fraunhofer FOKUS), Ramon Barakat (Fraunhofer FOKUS)
CVSS Scores
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-09-02 CVE Reserved
- 2024-10-11 CVE Published
- 2024-10-31 CVE Updated
- 2024-11-16 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-401: Missing Release of Memory after Effective Lifetime
- CWE-416: Use After Free
- CWE-755: Improper Handling of Exceptional Conditions
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/216 | Issue Tracking | |
| https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/217 | Issue Tracking | |
| https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/218 | Issue Tracking | |
| https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/227 | Issue Tracking | |
| https://mosquitto.org | Product |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/eclipse/mosquitto/releases/tag/v2.0.19 | 2024-10-11 | |
| https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17 | 2024-10-31 |
| URL | Date | SRC |
|---|---|---|
| https://gitlab.eclipse.org/security/cve-assignement/-/issues/26 | 2024-10-11 | |
| https://access.redhat.com/security/cve/CVE-2024-8376 | 2024-11-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2318080 | 2024-11-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Eclipse Foundation Search vendor "Eclipse Foundation" | Mosquitto Search vendor "Eclipse Foundation" for product "Mosquitto" | 2.0.18 Search vendor "Eclipse Foundation" for product "Mosquitto" and version "2.0.18" | en |
Affected
| ||||||