CVE-2024-10525 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-10525

CVE-2024-10525

October 30, 2024

In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.

Affected Packages

mosquitto (CONAN):

Affected version(s) >=1.6.12 <2.0.19

Fix Suggestion:

Update to version 2.0.19

Related Resources (5)

https://lists.debian.org/debian-lts-announce/2025/02/msg00022.html

https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190

https://mosquitto.org/blog/2024/10/version-2-0-19-released/

https://security-tracker.debian.org/tracker/CVE-2024-10525

Do you need more information?

CVSS v4

Base Score:

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

HIGH

Weakness Type (CWE)

Heap-based Buffer Overflow

CWE-122

Out-of-bounds Write

CWE-787

EPSS

Base Score:

17.51

Products

Solutions

Resources

Company

Compare

Developer Tools