Vulnerabilities > CVE-2019-11778 - Use After Free vulnerability in Eclipse Mosquitto

CVSS 5.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

LOW

network

low complexity

eclipse

CWE-416

NVD

Published: 2019-09-18

Updated: 2019-10-09

Summary

If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations.

Vulnerable Configurations

Part	Description	Count
Application	Eclipse Eclipse Mosquitto 1.6 Eclipse Mosquitto 1.6.1 Eclipse Mosquitto 1.6.2 Eclipse Mosquitto 1.6.3 Eclipse Mosquitto 1.6.4	5

Common Weakness Enumeration (CWE)

CWE-416 - Use After Free

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=551162