CVE-2023-28366 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2023-28366 Interim 1 7 2025-02-16T02:17:25Z current 2023-09-04T23:19:02Z 2025-02-16T02:17:25Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2023-28366 The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 15 SP5 SUSE Package Hub 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 openSUSE Tumbleweed libmosquitto1-2.0.18-1.1 libmosquitto1-2.0.20-bp155.3.3.1 libmosquitto1-2.0.20-bp156.2.3.1 libmosquittopp1-2.0.18-1.1 libmosquittopp1-2.0.20-bp155.3.3.1 libmosquittopp1-2.0.20-bp156.2.3.1 mosquitto-2.0.18-1.1 mosquitto-2.0.20-bp155.3.3.1 mosquitto-2.0.20-bp156.2.3.1 mosquitto-clients-2.0.18-1.1 mosquitto-clients-2.0.20-bp155.3.3.1 mosquitto-clients-2.0.20-bp156.2.3.1 mosquitto-devel-2.0.18-1.1 mosquitto-devel-2.0.20-bp155.3.3.1 mosquitto-devel-2.0.20-bp156.2.3.1 libmosquitto1-2.0.20-bp155.3.3.1 as a component of SUSE Package Hub 15 SP5 libmosquittopp1-2.0.20-bp155.3.3.1 as a component of SUSE Package Hub 15 SP5 mosquitto-2.0.20-bp155.3.3.1 as a component of SUSE Package Hub 15 SP5 mosquitto-clients-2.0.20-bp155.3.3.1 as a component of SUSE Package Hub 15 SP5 mosquitto-devel-2.0.20-bp155.3.3.1 as a component of SUSE Package Hub 15 SP5 libmosquitto1-2.0.20-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 libmosquittopp1-2.0.20-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 mosquitto-2.0.20-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 mosquitto-clients-2.0.20-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 mosquitto-devel-2.0.20-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 libmosquitto1-2.0.20-bp155.3.3.1 as a component of openSUSE Leap 15.5 libmosquittopp1-2.0.20-bp155.3.3.1 as a component of openSUSE Leap 15.5 mosquitto-2.0.20-bp155.3.3.1 as a component of openSUSE Leap 15.5 mosquitto-clients-2.0.20-bp155.3.3.1 as a component of openSUSE Leap 15.5 mosquitto-devel-2.0.20-bp155.3.3.1 as a component of openSUSE Leap 15.5 libmosquitto1-2.0.20-bp156.2.3.1 as a component of openSUSE Leap 15.6 libmosquittopp1-2.0.20-bp156.2.3.1 as a component of openSUSE Leap 15.6 mosquitto-2.0.20-bp156.2.3.1 as a component of openSUSE Leap 15.6 mosquitto-clients-2.0.20-bp156.2.3.1 as a component of openSUSE Leap 15.6 mosquitto-devel-2.0.20-bp156.2.3.1 as a component of openSUSE Leap 15.6 libmosquitto1-2.0.18-1.1 as a component of openSUSE Tumbleweed libmosquittopp1-2.0.18-1.1 as a component of openSUSE Tumbleweed mosquitto-2.0.18-1.1 as a component of openSUSE Tumbleweed mosquitto-clients-2.0.18-1.1 as a component of openSUSE Tumbleweed mosquitto-devel-2.0.18-1.1 as a component of openSUSE Tumbleweed The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function. CVE-2023-28366 SUSE Package Hub 15 SP5:libmosquitto1-2.0.20-bp155.3.3.1 SUSE Package Hub 15 SP5:libmosquittopp1-2.0.20-bp155.3.3.1 SUSE Package Hub 15 SP5:mosquitto-2.0.20-bp155.3.3.1 SUSE Package Hub 15 SP5:mosquitto-clients-2.0.20-bp155.3.3.1 SUSE Package Hub 15 SP5:mosquitto-devel-2.0.20-bp155.3.3.1 SUSE Package Hub 15 SP6:libmosquitto1-2.0.20-bp156.2.3.1 SUSE Package Hub 15 SP6:libmosquittopp1-2.0.20-bp156.2.3.1 SUSE Package Hub 15 SP6:mosquitto-2.0.20-bp156.2.3.1 SUSE Package Hub 15 SP6:mosquitto-clients-2.0.20-bp156.2.3.1 SUSE Package Hub 15 SP6:mosquitto-devel-2.0.20-bp156.2.3.1 openSUSE Leap 15.5:libmosquitto1-2.0.20-bp155.3.3.1 openSUSE Leap 15.5:libmosquittopp1-2.0.20-bp155.3.3.1 openSUSE Leap 15.5:mosquitto-2.0.20-bp155.3.3.1 openSUSE Leap 15.5:mosquitto-clients-2.0.20-bp155.3.3.1 openSUSE Leap 15.5:mosquitto-devel-2.0.20-bp155.3.3.1 openSUSE Leap 15.6:libmosquitto1-2.0.20-bp156.2.3.1 openSUSE Leap 15.6:libmosquittopp1-2.0.20-bp156.2.3.1 openSUSE Leap 15.6:mosquitto-2.0.20-bp156.2.3.1 openSUSE Leap 15.6:mosquitto-clients-2.0.20-bp156.2.3.1 openSUSE Leap 15.6:mosquitto-devel-2.0.20-bp156.2.3.1 openSUSE Tumbleweed:libmosquitto1-2.0.18-1.1 openSUSE Tumbleweed:libmosquittopp1-2.0.18-1.1 openSUSE Tumbleweed:mosquitto-2.0.18-1.1 openSUSE Tumbleweed:mosquitto-clients-2.0.18-1.1 openSUSE Tumbleweed:mosquitto-devel-2.0.18-1.1 important 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H