CVE-2017-7653

EPSS 0.93%
Published 05.06.2018 20:29:00
Last modified 21.11.2024 03:32:23
Source emo@eclipse.org
Teams watchlist Login
Open Login

The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients.

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Eclipse ≫ Mosquitto Version <= 1.4.15

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.93%	0.754

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	1.6	3.6	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:N/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://lists.debian.org/debian-lts-announce/2018/09/msg00036.html

Third Party Advisory

Mailing List

https://www.debian.org/security/2018/dsa-4325

Third Party Advisory

http://docs.oasis-open.org/mqtt/disallowed-chars/v1.0/disallowed-chars-v1.0.pdf

Third Party Advisory

https://bugs.eclipse.org/bugs/show_bug.cgi?id=532113

Third Party Advisory

Issue Tracking

https://usn.ubuntu.com/4023-1/

https://nvd.nist.gov/vuln/detail/CVE-2017-7653

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-7653

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-7653

EUVD