Community
Participate
Working Groups
It is possible to cause mosquitto versions 1.5 to 1.5.2 to crash by publishing to a topic that starts with $ but that is not $SYS, e.g. $TEST. CVSS v2 score 6.8 : https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C) CVSS v3 score 7.2 : https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C Could I have a CVE assigned please?
We'll use CVE-2018-12543 I'll to know the versions affected (ranges are okay), a single sentence description of the issue, and a CWE to report this upstream.
Thanks Wayne. Versions are 1.5 to 1.5.2 inclusive. If a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit. CWE: https://cwe.mitre.org/data/definitions/617.html I intend to release fixes for this today if all the packages are done.
I will be announcing this bug at 2018-09-27 1100 UTC and have coordinated with projects that package mosquitto.
I'm a little late on this, sorry. I've created a pull request to have this published. https://github.com/CVEProject/cvelist/pull/1252