CVE-2021-34434Improper Authorization in Eclipse Foundation Eclipse Mosquitto

CWE-285Improper AuthorizationCWE-863Incorrect Authorization7 documents6 sources
Severity
5.3MEDIUMNVD
OSV6.5
EPSS
0.4%
top 41.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
THE Eclipse Foundation Eclipse MosquittoEclipse MosquittoFedoraproject Fedora
Timeline
PublishedAug 30
Latest updateNov 21

Description

In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

CVEListV5the_eclipse_foundation/eclipse_mosquitto2.0unspecified+1
Debianeclipse/mosquitto< 2.0.11-1+deb11u1+3
Ubuntueclipse/mosquitto< 2.0.11-1ubuntu1.1+1
NVDeclipse/mosquitto2.0.02.0.11

Also affects: Fedora 34, 35

🔴Vulnerability Details

4
OSV
mosquitto vulnerabilities2023-11-21
GHSA
GHSA-cj6r-mprf-8cq9: In Eclipse Mosquitto versions 22022-05-24
CVEList
CVE-2021-34434: In Eclipse Mosquitto versions 22021-08-30
OSV
CVE-2021-34434: In Eclipse Mosquitto versions 22021-08-30

📋Vendor Advisories

2
Ubuntu
Mosquitto vulnerabilities2023-11-21
Debian
CVE-2021-34434: mosquitto - In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plu...2021
CVE-2021-34434 — Improper Authorization | cvebase