First published: Wed Sep 18 2019(Updated: )
If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations.
Credit: emo@eclipse.org
Affected Software | Affected Version | How to fix |
---|---|---|
Eclipse Mosquitto | >=1.6<1.6.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2019-11778 is medium with a severity value of 5.4.
CVE-2019-11778 affects Eclipse Mosquitto versions 1.6.0 to 1.6.4, inclusive.
The vulnerability in CVE-2019-11778 is a use after free error.
The use after free error in CVE-2019-11778 can be triggered when an MQTT v5 client connects to affected versions of Eclipse Mosquitto and sets a last will and testament, a will delay interval, and a session expiry interval, with the will delay interval set longer than the session expiry interval.
Yes, the fix for CVE-2019-11778 is available in version 1.6.5 of Eclipse Mosquitto.