CVE-2017-7652 : In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a confi

In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.

Published 2018-04-25 13:29:00

Updated 2019-10-09 23:29:49

Source Eclipse Foundation

View at NVD, CVE.org

Products affected by CVE-2017-7652

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Eclipse » Mosquitto
Versions from including (>=) 1.0 and up to, including, (<=) 1.4.14
cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-7652

EPSS FAQ

0.94%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 74 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-7652

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.0	MEDIUM	AV:N/AC:M/Au:S/C:P/I:P/A:P	6.8	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.5	HIGH	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.6	5.9	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-7652

CWE-789 Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Assigned by: emo@eclipse.org (Secondary)

References for CVE-2017-7652

https://lists.debian.org/debian-lts-announce/2018/06/msg00016.html

[SECURITY] [DLA 1409-1] mosquitto security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2018/03/msg00037.html

[SECURITY] [DLA 1334-1] mosquitto security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102

530102 – (CVE-2017-7652) Reloading Mosquitto configuration may fail if no file descriptors are available
Issue Tracking;Third Party Advisory
https://www.debian.org/security/2018/dsa-4325

Debian -- Security Information -- DSA-4325-1 mosquitto
Third Party Advisory

CVEs referencing this url
https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/

Security advisory: CVE-2017-7651, CVE-2017-7652 | Eclipse Mosquitto
Patch;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-7652

Products affected by CVE-2017-7652

Exploit prediction scoring system (EPSS) score for CVE-2017-7652

CVSS scores for CVE-2017-7652

CWE ids for CVE-2017-7652

References for CVE-2017-7652