CVE-2019-11778: Use After Free
First published: Wed Sep 18 2019(Updated: )
If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Eclipse Mosquitto | >=1.6<1.6.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-11778?
The severity of CVE-2019-11778 is medium with a severity value of 5.4.
How does CVE-2019-11778 affect Eclipse Mosquitto?
CVE-2019-11778 affects Eclipse Mosquitto versions 1.6.0 to 1.6.4, inclusive.
What is the vulnerability in CVE-2019-11778?
The vulnerability in CVE-2019-11778 is a use after free error.
How can the use after free error be triggered in CVE-2019-11778?
The use after free error in CVE-2019-11778 can be triggered when an MQTT v5 client connects to affected versions of Eclipse Mosquitto and sets a last will and testament, a will delay interval, and a session expiry interval, with the will delay interval set longer than the session expiry interval.
Is there a fix available for CVE-2019-11778?
Yes, the fix for CVE-2019-11778 is available in version 1.6.5 of Eclipse Mosquitto.
- collector/nvd-index
- vendor/eclipse
- canonical/eclipse mosquitto
- version/eclipse mosquitto/1.6