7.5

CVE-2017-7651

Exploit
In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EclipseMosquitto Version <= 1.4.14
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 5.29% 0.915
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

CWE-789 Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

https://bugs.eclipse.org/bugs/show_bug.cgi?id=529754
Third Party Advisory
Exploit
Issue Tracking
https://lists.debian.org/debian-lts-announce/2018/03/msg00037.html
Third Party Advisory
Mailing List
https://lists.debian.org/debian-lts-announce/2018/06/msg00016.html
Third Party Advisory
Mailing List
https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
Patch
Vendor Advisory
https://www.debian.org/security/2018/dsa-4325
Third Party Advisory