CVE-2024-8376: Memory leak
First published: Fri Oct 11 2024(Updated: )
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| TIBCO Messaging - Eclipse Mosquitto Distribution - Core | <2.0.19 |
Remedy
https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/216
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/217
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/218
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/227
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/26
- https://github.com/eclipse/mosquitto/releases/tag/v2.0.19
- https://mosquitto.org/
- https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17
- https://access.redhat.com/errata/RHSA-2024:8718
- https://access.redhat.com/errata/RHSA-2024:8719
- https://access.redhat.com/errata/RHSA-2024:8906
- https://bugzilla.redhat.com/show_bug.cgi?id=2318080
Frequently Asked Questions
What is the severity of CVE-2024-8376?
CVE-2024-8376 is categorized as a high severity vulnerability due to its potential to cause memory leaks and segmentation faults.
What versions of Eclipse Mosquitto are affected by CVE-2024-8376?
Eclipse Mosquitto versions up to and including 2.0.18a are affected by CVE-2024-8376.
How do I fix CVE-2024-8376?
To mitigate CVE-2024-8376, upgrade to Eclipse Mosquitto version 2.0.19 or later.
What types of attacks does CVE-2024-8376 enable?
CVE-2024-8376 allows attackers to perform memory leaking, segmentation faults, or heap-use-after-free attacks through specific MQTT packet sequences.
Is there a workaround for CVE-2024-8376 if upgrading is not possible?
Currently, there are no documented workarounds for CVE-2024-8376, and upgrading is recommended.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/description
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-8376
- agent/references
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- agent/event
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/eclipse
- canonical/tibco messaging - eclipse mosquitto distribution - core