Vulnerability Details CVE-2017-7651
In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.212
EPSS Ranking 95.3%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=529754
- https://lists.debian.org/debian-lts-announce/2018/03/msg00037.html
- https://lists.debian.org/debian-lts-announce/2018/06/msg00016.html
- https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
- https://www.debian.org/security/2018/dsa-4325
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=529754
- https://lists.debian.org/debian-lts-announce/2018/03/msg00037.html
- https://lists.debian.org/debian-lts-announce/2018/06/msg00016.html
- https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
- https://www.debian.org/security/2018/dsa-4325
Products affected by CVE-2017-7651
-
cpe:2.3:a:eclipse:mosquitto:-
-
cpe:2.3:a:eclipse:mosquitto:0.1
-
cpe:2.3:a:eclipse:mosquitto:0.10
-
cpe:2.3:a:eclipse:mosquitto:0.10.1
-
cpe:2.3:a:eclipse:mosquitto:0.10.2
-
cpe:2.3:a:eclipse:mosquitto:0.11.1
-
cpe:2.3:a:eclipse:mosquitto:0.11.2
-
cpe:2.3:a:eclipse:mosquitto:0.11.3
-
cpe:2.3:a:eclipse:mosquitto:0.12
-
cpe:2.3:a:eclipse:mosquitto:0.13
-
cpe:2.3:a:eclipse:mosquitto:0.14
-
cpe:2.3:a:eclipse:mosquitto:0.14.1
-
cpe:2.3:a:eclipse:mosquitto:0.14.2
-
cpe:2.3:a:eclipse:mosquitto:0.14.3
-
cpe:2.3:a:eclipse:mosquitto:0.14.4
-
cpe:2.3:a:eclipse:mosquitto:0.15
-
cpe:2.3:a:eclipse:mosquitto:0.2
-
cpe:2.3:a:eclipse:mosquitto:0.3
-
cpe:2.3:a:eclipse:mosquitto:0.4
-
cpe:2.3:a:eclipse:mosquitto:0.4.1
-
cpe:2.3:a:eclipse:mosquitto:0.4.2
-
cpe:2.3:a:eclipse:mosquitto:0.5
-
cpe:2.3:a:eclipse:mosquitto:0.5.1
-
cpe:2.3:a:eclipse:mosquitto:0.5.2
-
cpe:2.3:a:eclipse:mosquitto:0.5.3
-
cpe:2.3:a:eclipse:mosquitto:0.5.4
-
cpe:2.3:a:eclipse:mosquitto:0.6
-
cpe:2.3:a:eclipse:mosquitto:0.6.1
-
cpe:2.3:a:eclipse:mosquitto:0.7
-
cpe:2.3:a:eclipse:mosquitto:0.8
-
cpe:2.3:a:eclipse:mosquitto:0.8.1
-
cpe:2.3:a:eclipse:mosquitto:0.8.2
-
cpe:2.3:a:eclipse:mosquitto:0.8.3
-
cpe:2.3:a:eclipse:mosquitto:0.9
-
cpe:2.3:a:eclipse:mosquitto:0.9.1
-
cpe:2.3:a:eclipse:mosquitto:0.9.2
-
cpe:2.3:a:eclipse:mosquitto:0.9.3
-
cpe:2.3:a:eclipse:mosquitto:0.99.2
-
cpe:2.3:a:eclipse:mosquitto:1.0
-
cpe:2.3:a:eclipse:mosquitto:1.0.1
-
cpe:2.3:a:eclipse:mosquitto:1.0.2
-
cpe:2.3:a:eclipse:mosquitto:1.0.3
-
cpe:2.3:a:eclipse:mosquitto:1.0.4
-
cpe:2.3:a:eclipse:mosquitto:1.0.5
-
cpe:2.3:a:eclipse:mosquitto:1.1
-
cpe:2.3:a:eclipse:mosquitto:1.1.1
-
cpe:2.3:a:eclipse:mosquitto:1.1.2
-
cpe:2.3:a:eclipse:mosquitto:1.1.3
-
cpe:2.3:a:eclipse:mosquitto:1.1.90
-
cpe:2.3:a:eclipse:mosquitto:1.2
-
cpe:2.3:a:eclipse:mosquitto:1.2.1
-
cpe:2.3:a:eclipse:mosquitto:1.2.2
-
cpe:2.3:a:eclipse:mosquitto:1.2.3
-
cpe:2.3:a:eclipse:mosquitto:1.3
-
cpe:2.3:a:eclipse:mosquitto:1.3.1
-
cpe:2.3:a:eclipse:mosquitto:1.3.2
-
cpe:2.3:a:eclipse:mosquitto:1.3.3
-
cpe:2.3:a:eclipse:mosquitto:1.3.4
-
cpe:2.3:a:eclipse:mosquitto:1.3.5
-
cpe:2.3:a:eclipse:mosquitto:1.4
-
cpe:2.3:a:eclipse:mosquitto:1.4.1
-
cpe:2.3:a:eclipse:mosquitto:1.4.10
-
cpe:2.3:a:eclipse:mosquitto:1.4.11
-
cpe:2.3:a:eclipse:mosquitto:1.4.12
-
cpe:2.3:a:eclipse:mosquitto:1.4.13
-
cpe:2.3:a:eclipse:mosquitto:1.4.14
-
cpe:2.3:a:eclipse:mosquitto:1.4.2
-
cpe:2.3:a:eclipse:mosquitto:1.4.3
-
cpe:2.3:a:eclipse:mosquitto:1.4.4
-
cpe:2.3:a:eclipse:mosquitto:1.4.5
-
cpe:2.3:a:eclipse:mosquitto:1.4.6
-
cpe:2.3:a:eclipse:mosquitto:1.4.7
-
cpe:2.3:a:eclipse:mosquitto:1.4.8
-
cpe:2.3:a:eclipse:mosquitto:1.4.9
-
cpe:2.3:o:debian:debian_linux:7.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0