CVE-2021-34431
published 2021-07-22CVE-2021-34431: In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory…
PriorityP428medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.11%
61.9th percentile
In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mosquitto | < mosquitto 2.0.11-1 (bookworm) | mosquitto 2.0.11-1 (bookworm) |
| eclipse | mosquitto | >= 0 < 2.0.11-1 | 2.0.11-1 |
| eclipse | mosquitto | >= 0 < 2.0.11-1 | 2.0.11-1 |
| eclipse | mosquitto | >= 0 < 2.0.11-1 | 2.0.11-1 |
| eclipse | mosquitto | >= 0 < 2.0.11-1 | 2.0.11-1 |
| eclipse | mosquitto | >= 0 < 2.0.11-1ubuntu1.1 | 2.0.11-1ubuntu1.1 |
| eclipse | mosquitto | >= 0 < 1.6.9-1ubuntu0.1~esm1 | 1.6.9-1ubuntu0.1~esm1 |
| eclipse | mosquitto | 1.6 – 2.0.10 | — |
| the_eclipse_foundation | eclipse_mosquitto | >= 1.6 < unspecified | unspecified |
| the_eclipse_foundation | eclipse_mosquitto | unspecified – 2.0.10 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
mosquitto vulnerabilities
osv·2023-11-21·CVSS 6.5
CVE-2021-34431 [MEDIUM] mosquitto vulnerabilities
mosquitto vulnerabilities
Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain
inputs. If a user or an automated system were provided with a specially crafted
input, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-34431)
Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. If
a user or an automated system were provided with a specially crafted input, a
remote attacker could possibly use this issue to cause an authorisation bypass.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2021-34434)
Zhanxiang Song, Bin Yuan, DeQing Zou, and Hai Jin discovered that Mosquitto
incorrectly handled certain inputs. If a user or an automated system were
provide
GHSA
GHSA-j546-3m5x-fx7p: In Eclipse Mosquitto version 1
ghsa_unreviewed·2022-05-24
CVE-2021-34431 [MEDIUM] CWE-401 GHSA-j546-3m5x-fx7p: In Eclipse Mosquitto version 1
In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker.
OSV
CVE-2021-34431: In Eclipse Mosquitto version 1
osv·2021-07-22·CVSS 6.5
CVE-2021-34431 [MEDIUM] CVE-2021-34431: In Eclipse Mosquitto version 1
In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker.
Ubuntu
Mosquitto vulnerabilities
vendor_ubuntu·2023-11-21·CVSS 6.5
CVE-2023-0809 [MEDIUM] Mosquitto vulnerabilities
Title: Mosquitto vulnerabilities
Summary: Several security issues were fixed in Mosquitto.
Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain
inputs. If a user or an automated system were provided with a specially crafted
input, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-34431)
Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. If
a user or an automated system were provided with a specially crafted input, a
remote attacker could possibly use this issue to cause an authorisation bypass.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2021-34434)
Zhanxiang Song, Bin Yuan, DeQing Zou, and Hai Jin discovered that Mosquitto
incorrectly han
Debian
CVE-2021-34431: mosquitto - In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had ...
vendor_debian·2021·CVSS 6.5
CVE-2021-34431 [MEDIUM] CVE-2021-34431: mosquitto - In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had ...
In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker.
Scope: local
bookworm: resolved (fixed in 2.0.11-1)
bullseye: resolved (fixed in 2.0.11-1)
forky: resolved (fixed in 2.0.11-1)
sid: resolved (fixed in 2.0.11-1)
trixie: resolved (fixed in 2.0.11-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-07-22
Published