2244840 – (CVE-2023-5632) CVE-2023-5632 Mosquitto: Possible Denial of Service due to excessive CPE consumption

Bug 2244840 (CVE-2023-5632) - CVE-2023-5632 Mosquitto: Possible Denial of Service due to excessive CPE consumption

Summary: CVE-2023-5632 Mosquitto: Possible Denial of Service due to excessive CPE cons...

Keywords:
Status:	NEW
Alias:	CVE-2023-5632
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2244841
Blocks:	2244839
TreeView+	depends on / blocked

Reported:	2023-10-18 13:50 UTC by Marco Benatto
Modified:	2024-04-30 23:00 UTC (History)
CC List:	22 users (show)
Fixed In Version:	mosquitto 2.0.6
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marco Benatto 2023-10-18 13:50:45 UTC

In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6

https://github.com/eclipse/mosquitto/pull/2053
https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d

Note You need to log in before you can comment on or make changes to this bug.

aileenc
bbuckingham
bcourt
chazlett
cmiranda
ehelms
fmariani
gmalinko
janstey
jpoth
jsherril
lzap
mhulan
nmoumoul
orabin
pcongius
pcreech
peholase
pjindal
rchan
tcunning
yfang