CVE-2023-0809 - Vulnerability Details - OpenCVE

In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Eclipse	Mosquitto
Redhat	Satellite Satellite Capsule

Configuration 1 [-]

cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Satellite 6.13 for RHEL 8
mosquitto-0:2.0.17-1.el8sat	cpe:/a:redhat:satellite:6.13::el8	RHSA-2024:1061	2024-02-29T00:00:00Z
mosquitto-0:2.0.17-1.el8sat	cpe:/a:redhat:satellite_capsule:6.13::el8	RHSA-2024:1061	2024-02-29T00:00:00Z
Red Hat Satellite 6.14 for RHEL 8
mosquitto-0:2.0.17-1.el8sat	cpe:/a:redhat:satellite:6.14::el8	RHSA-2024:0797	2024-02-13T00:00:00Z
mosquitto-0:2.0.17-1.el8sat	cpe:/a:redhat:satellite_capsule:6.14::el8	RHSA-2024:0797	2024-02-13T00:00:00Z

References

Link	Providers
https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9
https://mosquitto.org/blog/2023/08/version-2-0-16-released/
https://nvd.nist.gov/vuln/detail/CVE-2023-0809
https://security.gentoo.org/glsa/202401-09
https://www.cve.org/CVERecord?id=CVE-2023-0809

History

Fri, 20 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2023-10-02T18:56:26.824Z

Updated: 2025-02-13T16:39:08.267Z

Reserved: 2023-02-13T14:04:10.012Z

Link: CVE-2023-0809

Vulnrichment

Updated: 2024-08-02T05:24:34.509Z

NVD

Status : Modified

Published: 2023-10-02T19:15:09.717

Modified: 2024-11-21T07:37:52.583

Link: CVE-2023-0809

Redhat

Severity : Moderate

Publid Date: 2023-09-01T00:00:00Z

Links: CVE-2023-0809 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2023-0809", "state": "PUBLISHED", "dateUpdated": "2025-02-13T16:39:08.267Z", "datePublished": "2023-10-02T18:56:26.824Z", "dateReserved": "2023-02-13T14:04:10.012Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mosquitto", "vendor": "Eclipse", "versions": [{"lessThan": "2.0.16", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets."}], "value": "In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "description": "CWE-789", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2024-01-07T10:06:16.711Z", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse"}, "references": [{"url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released/"}, {"url": "https://security.gentoo.org/glsa/202401-09"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "SecretariatVulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:24:34.509Z"}, "title": "CVE Program Container", "references": [{"url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202401-09", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-20T14:51:17.455933Z", "id": "CVE-2023-0809", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-20T14:51:34.000Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202401-09", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:24:34.509Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-0809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-20T14:51:17.455933Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-20T14:51:30.507Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Eclipse", "product": "Mosquitto", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released/"}, {"url": "https://security.gentoo.org/glsa/202401-09"}], "x_generator": {"engine": "SecretariatVulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.", "supportingMedia": [{"type": "text/html", "value": "In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-01-07T10:06:16.711Z"}}}, "cveMetadata": {"cveId": "CVE-2023-0809", "state": "PUBLISHED", "dateUpdated": "2025-02-13T16:39:08.267Z", "dateReserved": "2023-02-13T14:04:10.012Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2023-10-02T18:56:26.824Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*", "matchCriteriaId": "C744F41F-1469-4455-8C1C-B06373070721", "versionEndExcluding": "2.0.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets."}, {"lang": "es", "value": "En Mosquitto anterior a 2.0.16, el exceso de memoria se asigna en funci\u00f3n de paquetes iniciales maliciosos que no son paquetes CONNECT."}], "id": "CVE-2023-0809", "lastModified": "2024-11-21T07:37:52.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "emo@eclipse.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-02T19:15:09.717", "references": [{"source": "emo@eclipse.org", "tags": ["Release Notes"], "url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released/"}, {"source": "emo@eclipse.org", "url": "https://security.gentoo.org/glsa/202401-09"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202401-09"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "emo@eclipse.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1061", "cpe": "cpe:/a:redhat:satellite:6.13::el8", "package": "mosquitto-0:2.0.17-1.el8sat", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2024-02-29T00:00:00Z"}, {"advisory": "RHSA-2024:1061", "cpe": "cpe:/a:redhat:satellite_capsule:6.13::el8", "package": "mosquitto-0:2.0.17-1.el8sat", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2024-02-29T00:00:00Z"}, {"advisory": "RHSA-2024:0797", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "mosquitto-0:2.0.17-1.el8sat", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2024-02-13T00:00:00Z"}, {"advisory": "RHSA-2024:0797", "cpe": "cpe:/a:redhat:satellite_capsule:6.14::el8", "package": "mosquitto-0:2.0.17-1.el8sat", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2024-02-13T00:00:00Z"}], "bugzilla": {"description": "mosquitto: memory leak leads to unresponsive broker", "id": "2236882", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236882"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-401", "details": ["In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.", "A memory leak vulnerability was found in Eclipse Mosquitto. This issue is triggered by malicious initial packets or certain client actions and may allow a remote attacker to the deplete system resources causing memory exhaustion, leading to a disruption in services and a denial of service condition."], "name": "CVE-2023-0809", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "mosquitto", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "mosquitto", "product_name": "Red Hat Integration Camel K"}], "public_date": "2023-09-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-0809\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0809\nhttps://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9"], "threat_severity": "Moderate", "upstream_fix": "mosquitto 2.0.16"}