CVE-2024-8376

Name
CVE-2024-8376
Description
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
issue-tracking https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/216
issue-tracking https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/217
issue-tracking https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/218
issue-tracking https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/227
vendor-advisory https://gitlab.eclipse.org/security/cve-assignement/-/issues/26
patch https://github.com/eclipse/mosquitto/releases/tag/v2.0.19
product https://mosquitto.org/

Match rules

CPE URI Source package Min version Max version
mosquitto == 2.0.18 == 2.0.18
mosquitto == 2.0.19 == 2.0.19

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
mosquitto 3.20-main 2.0.18-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
mosquitto 3.19-main 2.0.18-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
mosquitto 3.18-main 2.0.18-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable