Home

CVE-2019-11779

Description

In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more / characters, i.e. the topic hierarchy separator, then a stack overflow will occur.

Risk Information

Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
6.791

Associated Vulnerability

VulnerabilityOS Platform
Vulnerability CVE-2019-11779 are affected in Mosquitto 1.6.5Windows
Vulnerabilities CVE-2019-11779 are fixed in Eclipse Mosquitto MQTT broker (2.0.18)Windows
Vulnerabilities CVE-2019-11779 are fixed in Eclipse Mosquitto MQTT broker (x64) (2.0.18)Windows
MQTT version 3.1/3.1.1 compatible message broker (USN-4137-1) mosquitto_1.5.7-1ubuntu0.1_i386.debLinux
MQTT version 3.1/3.1.1 compatible message broker (USN-4137-1) mosquitto_1.5.7-1ubuntu0.1_amd64.debLinux
MQTT version 3.1/3.1.1 compatible message broker (USN-4137-1) libmosquitto1_1.5.7-1ubuntu0.1_i386.debLinux
MQTT version 3.1/3.1.1 compatible message broker (USN-4137-1) libmosquitto1_1.5.7-1ubuntu0.1_amd64.debLinux
MQTT version 3.1/3.1.1 compatible message broker (USN-4137-1) libmosquittopp1_1.5.7-1ubuntu0.1_i386.debLinux
MQTT version 3.1/3.1.1 compatible message broker (USN-4137-1) libmosquittopp1_1.5.7-1ubuntu0.1_amd64.debLinux
MQTT version 3.1/3.1.1 compatible message broker (USN-4137-1) mosquitto-clients_1.5.7-1ubuntu0.1_i386.debLinux
MQTT version 3.1/3.1.1 compatible message broker (USN-4137-1) mosquitto-clients_1.5.7-1ubuntu0.1_amd64.debLinux
mosquitto security update(DSA-4570-1) mosquitto_1.5.7-1+deb10u1_i386.debLinux
mosquitto security update(DSA-4570-1) mosquitto_1.5.7-1+deb10u1_amd64.debLinux

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-333302Eclipse Mosquitto MQTT broker (2.0.18)
PATCH-333303Eclipse Mosquitto MQTT broker (x64) (2.0.18)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234