In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.

Adjusted CVSS Score (Product Context):
Base Score: 5.6 (Medium)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Justification:
AC:H (High): Attacks on the product must be carried out via the MQTT server. This means the attack cannot be directly repeated across different setups, as a new server must be compromised each time.
C/I/A: Downgraded from High to Low due to process sandboxing and reduced privileges.

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heapuse-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

Adjusted CVSS Score (Product Context):
Base Score: 5.9 (Medium)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Justification:
AC:H (High): Attacks on the product must be carried out via the MQTT server. This means the attack cannot be directly repeated across different setups, as a new server must be compromised each time.

In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.

Adjusted CVSS Score (Product Context):
Base Score: 5.3 (Medium)
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Justification:
AC:H (High): Attacks on the product must be carried out via the MQTT server. This means the attack cannot be directly repeated across different setups, as a new server must be compromised each time.