Vulnerability Details : CVE-2023-5632
In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6
Vulnerability category: Denial of service
Products affected by CVE-2023-5632
- cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-5632
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-5632
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
Eclipse Foundation | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
N/A
|
N/A
|
RedHat-CVE-2023-5632 |
CWE ids for CVE-2023-5632
-
The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.Assigned by:
- emo@eclipse.org (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2023-5632
-
https://github.com/eclipse/mosquitto/pull/2053
100% CPU usage in case the client doesn't send data - bug fix by przemyslawzygmunt · Pull Request #2053 · eclipse/mosquitto · GitHubIssue Tracking
-
https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d
Unconditionally adding an event to the epoll causes 100% CPU usage. T… · eclipse/mosquitto@18bad1f · GitHubPatch
Jump to