CVE-2023-3592: 
NixOS vulnerability analysis and mitigation

In Mosquitto before version 2.0.16, a memory leak vulnerability was identified when clients send MQTT v5 CONNECT packets containing will messages with invalid property types. The vulnerability was assigned CVE-2023-3592 and was publicly disclosed in August 2023. This security issue affects Eclipse Mosquitto, an open-source MQTT v3 broker (Mosquitto Release, NVD).

The vulnerability received a CVSS v3.1 base score of 7.5 (HIGH) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction. The Eclipse Foundation assessed it with a lower CVSS score of 5.8 (MEDIUM). The vulnerability is classified under CWE-401: Missing Release of Memory after Effective Lifetime (NVD).

The primary impact of this vulnerability is on system availability through memory resource exhaustion. When exploited, the memory leak can lead to a denial of service condition as system resources are gradually consumed (Gentoo Advisory).

The vulnerability has been fixed in Mosquitto version 2.0.16. Users are advised to upgrade to this version or later to address the security issue. Multiple distributions have released security updates, including Ubuntu, Debian, and Gentoo, providing patched versions through their respective package management systems (Mosquitto Release, Gentoo Advisory).