CVE-2021-34431 — Missing Release of Memory after Effective Lifetime in Eclipse Foundation Eclipse Mosquitto

CWE-401 — Missing Release of Memory after Effective Lifetime7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 41.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Eclipse Foundation Eclipse Mosquitto Eclipse Mosquitto

Timeline

PublishedJul 22

Latest updateNov 21

Description

In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5the_eclipse_foundation/eclipse_mosquitto1.6 — unspecified+1

▶Debianeclipse/mosquitto< 2.0.11-1+3

▶Ubuntueclipse/mosquitto< 2.0.11-1ubuntu1.1+1

▶NVDeclipse/mosquitto1.6 — 2.0.10

🔴Vulnerability Details

OSV

mosquitto vulnerabilities↗2023-11-21

▶

GHSA

GHSA-j546-3m5x-fx7p: In Eclipse Mosquitto version 1↗2022-05-24

▶

OSV

CVE-2021-34431: In Eclipse Mosquitto version 1↗2021-07-22

▶

CVEList

CVE-2021-34431: In Eclipse Mosquitto version 1↗2021-07-22

▶

📋Vendor Advisories

Ubuntu

Mosquitto vulnerabilities↗2023-11-21

▶

Debian

CVE-2021-34431: mosquitto - In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had ...↗2021

▶