CVE-2024-3935

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-3935

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-3935.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-3935

Related

Published

2024-10-30T12:15:03Z

Modified

2025-02-20T10:50:18.731896Z

Downstream

DLA-4059-1

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.

References

Affected packages

Debian:11 / mosquitto

Package

Name: mosquitto
Purl: pkg:deb/debian/mosquitto?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.11-1+deb11u2

Affected versions

2.*

2.0.11-1

2.0.11-1+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / mosquitto

Package

Name: mosquitto
Purl: pkg:deb/debian/mosquitto?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.11-1.2

2.0.11-1.2+deb12u1

2.0.15-1

2.0.15-2~bpo12+1

2.0.15-2

2.0.17-1

2.0.17-2

2.0.17-3

2.0.18-1~bpo12+1

2.0.18-1

2.0.18-1.1

2.0.20-1~bpo12+1

2.0.20-1

2.0.20-2

2.0.20-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / mosquitto

Package

Name: mosquitto
Purl: pkg:deb/debian/mosquitto?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.20-1

Affected versions

2.*

2.0.11-1.2

2.0.15-1

2.0.15-2~bpo12+1

2.0.15-2

2.0.17-1

2.0.17-2

2.0.17-3

2.0.18-1~bpo12+1

2.0.18-1

2.0.18-1.1

2.0.20-1~bpo12+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/eclipse-mosquitto/mosquitto

Affected ranges

Type: GIT
Repo: https://github.com/eclipse-mosquitto/mosquitto
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ae7a804dadac8f2aaedb24336df8496a9680fda9

Type: GIT
Repo: https://github.com/eclipse/mosquitto
Events: Introduced

c00671af5c25593bebf065ed8820f7f00ee85efe

Fixed

5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79

Affected versions

v1.*

v1.4

v1.4.1

v1.4.10

v1.4.11

v1.4.12

v1.4.13

v1.4.14

v1.4.15

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4.8

v1.4.9

v1.5

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.7

v1.5.8

v1.6

v1.6.1

v1.6.10

v1.6.11

v1.6.12

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v2.*

v2.0.0

v2.0.1

v2.0.10

v2.0.11

v2.0.12

v2.0.13

v2.0.14

v2.0.15

v2.0.16

v2.0.17

v2.0.18

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9