CVE-2024-8376

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-8376
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8376.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-8376
Aliases
Downstream
Published
2024-10-11T16:15:14.860Z
Modified
2026-02-06T04:57:11.630181Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

References

Affected packages

Git / github.com/eclipse-mosquitto/mosquitto

Affected ranges

Type
GIT
Repo
https://github.com/eclipse-mosquitto/mosquitto
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
1914b3ee2a18102d0a94cbdbbfeae1afa03edd17

Affected versions

v1.*
v1.4
v1.4.1
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.14
v1.4.15
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.7
v1.5.8
v1.6
v1.6.1
v1.6.10
v1.6.11
v1.6.12
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9

Database specific

vanir_signatures 
[
    {
        "signature_type": "Line",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "src/subs.c"
        },
        "id": "CVE-2024-8376-10e9189a",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "337056396696211375370065786001092106459",
                "8961843246953485094131775642543914224",
                "166454791643760417007158244368928636838",
                "294427575744660341795152532502222001147",
                "96863103296686461161453048780358307333",
                "113455365822778891971638539350933482566",
                "138764729618413915501723838435159875041",
                "211864899274173404454516847322983324191",
                "16581706942431358390379619585023570332",
                "142081254423778928715057102174448366321",
                "226083633526564465652891761328552852395",
                "190833523707346772944823974535251097378",
                "126608501510992767106179895560120885086",
                "305731374346909795229133234062916759066",
                "308388328437887825539975791542201480257",
                "115698597630840267027596880331065830587",
                "226895189412259938799097532835915321933",
                "287138927305026060592971023143513587972",
                "155116390027345718017414008393863415502",
                "11830891865567562982402603619939736016"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "src/persist_write.c"
        },
        "id": "CVE-2024-8376-129e89c4",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "80365778828807289410735677396110345754",
                "84399793592688751125375497620780740400",
                "283505685157238129630161251863663184366",
                "328707267557203517014843119597757313619"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "test/unit/subs_test.c",
            "function": "TEST_sub_add_single"
        },
        "id": "CVE-2024-8376-27ba1ee4",
        "signature_version": "v1",
        "digest": {
            "function_hash": "85027643375811818722021176488543325132",
            "length": 859.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "src/loop.c",
            "function": "mosquitto_main_loop"
        },
        "id": "CVE-2024-8376-2f7cce88",
        "signature_version": "v1",
        "digest": {
            "function_hash": "91057161280735185726808889805556144975",
            "length": 2301.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "src/database.c",
            "function": "db__open"
        },
        "id": "CVE-2024-8376-32926d04",
        "signature_version": "v1",
        "digest": {
            "function_hash": "219102679948048100649888224707180227541",
            "length": 687.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "src/subs.c",
            "function": "sub__add"
        },
        "id": "CVE-2024-8376-5c31bd63",
        "signature_version": "v1",
        "digest": {
            "function_hash": "55176600448257662500890158445795975451",
            "length": 823.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "src/database.c"
        },
        "id": "CVE-2024-8376-78010467",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "1883258102170875638337795067076559786",
                "269258096689304142131300871033033377967",
                "277576763025608523073249646091703909156",
                "282455343225381701645851441602296243650",
                "228317779658633925717727089316633407348",
                "293399217824402429274834002241453717821",
                "331596523770301794783999350837628845526",
                "185723886563308761998443290975415036436",
                "9429802617081502960204265032739934613",
                "98567767342668555752920386701854113201",
                "23075709572412960670036213239291016683"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "src/database.c",
            "function": "db__close"
        },
        "id": "CVE-2024-8376-7f65223d",
        "signature_version": "v1",
        "digest": {
            "function_hash": "158501280705291584948478308635055034775",
            "length": 126.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "src/mosquitto_broker_internal.h"
        },
        "id": "CVE-2024-8376-8ef40a70",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "45378232856577464034667598334279536997",
                "96603207242274731126487602797606380801",
                "152916980947672126960421711227745538064",
                "216685957878640725145949408103561850668"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "src/subs.c",
            "function": "sub__messages_queue"
        },
        "id": "CVE-2024-8376-bd32cf2a",
        "signature_version": "v1",
        "digest": {
            "function_hash": "222201869847521988135296162234679964902",
            "length": 625.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "src/persist_write.c",
            "function": "persist__subs_save_all"
        },
        "id": "CVE-2024-8376-bfc7b1e0",
        "signature_version": "v1",
        "digest": {
            "function_hash": "82404320710986493696715721667699819220",
            "length": 211.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "src/subs.c",
            "function": "sub__remove"
        },
        "id": "CVE-2024-8376-cce9a5af",
        "signature_version": "v1",
        "digest": {
            "function_hash": "171342194965868691105711805377190486608",
            "length": 507.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "src/loop.c"
        },
        "id": "CVE-2024-8376-d26e7102",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "49193364896183059064740117620484442574",
                "240638093559984819259697138614261690521",
                "324783949546271679869764029699243368197",
                "334022200416395703309332107612957508546"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "source": "https://github.com/eclipse-mosquitto/mosquitto/commit/1914b3ee2a18102d0a94cbdbbfeae1afa03edd17",
        "target": {
            "file": "test/unit/subs_test.c"
        },
        "id": "CVE-2024-8376-d3ad7047",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "30311554542670550709315789034782611372",
                "110272784301115051174489764212983818460",
                "59067244618939595402886872348543474303",
                "171677027870990509642156292904834357763",
                "318667717110755260714528682606559810487",
                "86069519756019149565984826298323300479"
            ]
        },
        "deprecated": false
    }
]
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8376.json"

Git / github.com/eclipse/mosquitto

Affected ranges

Type
GIT
Repo
https://github.com/eclipse/mosquitto
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79

Affected versions

v1.*
v1.4
v1.4.1
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.14
v1.4.15
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.7
v1.5.8
v1.6
v1.6.1
v1.6.10
v1.6.11
v1.6.12
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9

Database specific

vanir_signatures 
[
    {
        "signature_type": "Function",
        "source": "https://github.com/eclipse/mosquitto/commit/5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79",
        "target": {
            "file": "src/bridge.c",
            "function": "bridge__connect_step1"
        },
        "id": "CVE-2024-8376-34ff54b6",
        "signature_version": "v1",
        "digest": {
            "function_hash": "328300029930406813138797490881719136165",
            "length": 3362.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "source": "https://github.com/eclipse/mosquitto/commit/5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79",
        "target": {
            "file": "src/bridge.c"
        },
        "id": "CVE-2024-8376-8f382462",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "112744184638913340540592059009065155160",
                "173647425033737941360091521005652606556",
                "129426418706414116545542920680687959565",
                "177013983548820522005115672949777997892",
                "261027843247209851251118222858259184730"
            ]
        },
        "deprecated": false
    }
]
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8376.json"