VDB
CVE-2024-3935
CVE-2024-3935
PUBLISHED
CVSS 6 MEDIUM
In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.
EPSS 0.38% · 60.0th percentile
Risk Scores
CVSS v4.0
6
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.38%
60.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| eclipse_foundation | mosquitto | 2.0.0 |
| eclipse | mosquitto | 2.0.0 |
| Eclipse Foundation | mosquitto | 2.0.0 |
Timeline
- Oct 30, 2024 Coalition ESS Score
- Oct 30, 2024 Coalition ESS Score
- Oct 30, 2024 CVE Published
- Oct 31, 2024 EPSS Score
- Oct 31, 2024 Coalition ESS Score
- Nov 1, 2024 Coalition ESS Score
- Nov 18, 2024 EPSS Score
- Dec 7, 2024 EPSS Score
- Dec 25, 2024 EPSS Score
- Jan 12, 2025 EPSS Score
- Jan 30, 2025 EPSS Score
- Feb 17, 2025 EPSS Score
References
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/197 url
- https://mosquitto.org/blog/2024/10/version-2-0-19-released/ url
- https://github.com/eclipse-mosquitto/mosquitto/commit/ae7a804dadac8f2aaedb24336df8496a9680fda9 url
- https://lists.debian.org/debian-lts-announce/2025/02/msg00022.html url
- https://nvd.nist.gov/vuln/detail/CVE-2024-3935 advisory
- https://mosquitto.org/blog/2024/10/version-2-0-19-released url