Vulnerability Name:

CVE-2019-11779 (CCN-167357)

Assigned:2019-09-18
Published:2019-09-18
Updated:2021-10-28
Summary:In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:R)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-674
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2019-11779

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2019:2206

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2019:2247

Source: CCN
Type: Bugzilla – Bug 551160
(CVE-2019-11779) - Mosquitto: CVE request - extremely deep hierarchy causes stack overflow

Source: CONFIRM
Type: Vendor Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160

Source: XF
Type: UNKNOWN
eclipse-cve201911779-dos(167357)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20191026 [SECURITY] [DLA 1972-1] mosquitto security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2019-d99e2329cb

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2019-4c69fb4cd7

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2019-8b83c261dd

Source: CCN
Type: Eclipse Web site
Eclipse Mosquitto

Source: BUGTRAQ
Type: Mailing List, Third Party Advisory
20191118 [SECURITY] [DSA 4570-1] mosquitto security update

Source: UBUNTU
Type: Third Party Advisory
USN-4137-1

Source: DEBIAN
Type: Third Party Advisory
DSA-4570

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-11779

Vulnerable Configuration:Configuration 1:
  • cpe:/a:eclipse:mosquitto:*:*:*:*:*:*:*:* (Version >= 1.6 and < 1.6.6)
  • OR cpe:/a:eclipse:mosquitto:*:*:*:*:*:*:*:* (Version >= 1.5 and < 1.5.9)

    • Configuration 2:
  • cpe:/o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • OR cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:fedoraproject:fedora:29:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:31:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:eclipse:mosquitto:1.6.5:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:93473
    P
    		 (Important)
    2022-07-12
    oval:org.opensuse.security:def:201911779
    V
    		CVE-2019-11779
    2022-06-30
    oval:org.opensuse.security:def:112700
    P
    		libmosquitto1-2.0.11-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:74392
    P
    		Security update for wireshark (Moderate)
    2021-12-06
    oval:org.opensuse.security:def:106176
    P
    		libmosquitto1-2.0.11-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:63503
    P
    		oath-toolkit-2.6.2-1.15 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:62658
    P
    		libXt6-32bit-1.1.5-2.24 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62457
    P
    		libmpg123-0-1.25.10-1.38 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62937
    P
    		bsdtar-3.4.2-2.24 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62458
    P
    		libndp-devel-1.6-1.26 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63139
    P
    		apache2-2.4.33-1.28 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62481
    P
    		newt-devel-0.52.20-5.35 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63277
    P
    		libmariadbd-devel-10.4.13-1.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:64070
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:74266
    P
    		Recommended update for evince (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64172
    P
    		Security update for gcc10 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63830
    P
    		Security update for xen (Important)
    2020-12-01
    oval:org.opensuse.security:def:64214
    P
    		autofs on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63964
    P
    		Security update for curl (Important)
    2020-12-01
    oval:org.opensuse.security:def:64326
    P
    		libgcrypt-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:100186
    P
    		Security update for mosquitto (Moderate)
    2019-10-03
    oval:org.opensuse.security:def:110016
    P
    		Security update for mosquitto (Moderate)
    2019-09-28
    oval:com.ubuntu.disco:def:2019117790000000
    V
    		CVE-2019-11779 on Ubuntu 19.04 (disco) - medium.
    2019-09-19
    oval:com.ubuntu.bionic:def:2019117790000000
    V
    		CVE-2019-11779 on Ubuntu 18.04 LTS (bionic) - untriaged.
    2019-09-19
    oval:com.ubuntu.xenial:def:2019117790000000
    V
    		CVE-2019-11779 on Ubuntu 16.04 LTS (xenial) - untriaged.
    2019-09-19
    BACK
    eclipse mosquitto *
    eclipse mosquitto *
    canonical ubuntu linux 19.04
    opensuse backports sle 15.0 sp1
    opensuse leap 15.1
    fedoraproject fedora 29
    fedoraproject fedora 30
    fedoraproject fedora 31
    debian debian linux 8.0
    debian debian linux 10.0
    eclipse mosquitto 1.6.5