This Bugzilla instance closed for new bug entry. Eclipse projects now use GitHub or Eclipse GitLab. Please locate your project of interest with the Projects search tool to find the best location for that project's code and issues.
Bug 551160 (CVE-2019-11779) - Mosquitto: CVE request - extremely deep hierarchy causes stack overflow
Summary: Mosquitto: CVE request - extremely deep hierarchy causes stack overflow
Status: RESOLVED FIXED
Alias: CVE-2019-11779
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-17 07:13 EDT by Roger Light CLA
Modified: 2019-10-17 14:15 EDT (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Roger Light CLA 2019-09-17 07:13:45 EDT
If a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.

Affects: 1.5.0 to 1.6.5 inclusive. Fixed in 1.5.9 and 1.6.6.

CWE-754: Improper Check for Unusual or Exceptional Conditions

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C&version=3.1

This has, unfortunately, already been disclosed.
Comment 1 Wayne Beaton CLA 2019-09-18 11:27:28 EDT
I've sent this to the central authority.

https://github.com/CVEProject/cvelist/pull/2560
Comment 2 Roger Light CLA 2019-09-24 05:23:19 EDT
Thanks Wayne