CVE-2024-10525

In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c	Patch
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190	Exploit Issue Tracking Vendor Advisory
https://mosquitto.org/blog/2024/10/version-2-0-19-released/	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*

History

29 Jan 2025, 17:04

Type	Values Removed	Values Added
CPE		cpe:2.3:a:eclipse:mosquitto::::::::
References	~~() https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c -~~	() https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c - Patch
References	~~() https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190 -~~	() https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190 - Exploit, Issue Tracking, Vendor Advisory
References	~~() https://mosquitto.org/blog/2024/10/version-2-0-19-released/ -~~	() https://mosquitto.org/blog/2024/10/version-2-0-19-released/ - Release Notes
First Time		Eclipse mosquitto Eclipse
CWE		CWE-787
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

09 Jan 2025, 18:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.1~~	v2 : unknown v3 : unknown

Information

Published : 2024-10-30 12:15

Updated : 2025-01-29 17:04

NVD link : CVE-2024-10525

Mitre link : CVE-2024-10525

CVE.ORG link : CVE-2024-10525

JSON object : View

Products Affected

eclipse

mosquitto

CWE

CWE-122

Heap-based Buffer Overflow

CWE-787

Out-of-bounds Write

{"id": "CVE-2024-10525", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "emo@eclipse.org", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 7.2, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "LOW", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-10-30T12:15:02.787", "references": [{"url": "https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c", "tags": ["Patch"], "source": "emo@eclipse.org"}, {"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "emo@eclipse.org"}, {"url": "https://mosquitto.org/blog/2024/10/version-2-0-19-released/", "tags": ["Release Notes"], "source": "emo@eclipse.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "emo@eclipse.org", "description": [{"lang": "en", "value": "CWE-122"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients."}, {"lang": "es", "value": "En Eclipse Mosquitto, desde la versi\u00f3n 1.3.2 hasta la 2.0.18, si un agente malintencionado env\u00eda un paquete SUBACK manipulado sin c\u00f3digos de motivo, un cliente que utilice libmosquitto puede realizar un acceso a la memoria fuera de los l\u00edmites cuando act\u00fae en su devoluci\u00f3n de llamada on_subscribe. Esto afecta a los clientes mosquitto_sub y mosquitto_rr."}], "lastModified": "2025-01-29T17:04:54.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9BB81397-7EC9-43AF-A667-8BFC80BB65E4", "versionEndExcluding": "2.0.19", "versionStartIncluding": "1.3.2"}], "operator": "OR"}]}], "sourceIdentifier": "emo@eclipse.org"}