CVE-2021-34434
published 2021-08-30CVE-2021-34434: In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
1.37%
68.4th percentile
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mosquitto | < mosquitto 2.0.11-1.2+deb12u1 (bookworm) | mosquitto 2.0.11-1.2+deb12u1 (bookworm) |
| eclipse | mosquitto | >= 0 < 2.0.11-1+deb11u1 | 2.0.11-1+deb11u1 |
| eclipse | mosquitto | >= 0 < 2.0.11-1.2+deb12u1 | 2.0.11-1.2+deb12u1 |
| eclipse | mosquitto | >= 0 < 2.0.15-1 | 2.0.15-1 |
| eclipse | mosquitto | >= 0 < 2.0.15-1 | 2.0.15-1 |
| eclipse | mosquitto | >= 0 < 2.0.11-1ubuntu1.1 | 2.0.11-1ubuntu1.1 |
| eclipse | mosquitto | >= 0 < 1.6.9-1ubuntu0.1~esm1 | 1.6.9-1ubuntu0.1~esm1 |
| eclipse | mosquitto | 2.0.0 – 2.0.11 | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| the_eclipse_foundation | eclipse_mosquitto | >= 2.0 < unspecified | unspecified |
| the_eclipse_foundation | eclipse_mosquitto | unspecified – 2.0.11 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv6.5MEDIUM
vendor_ubuntu6.5MEDIUM
vendor_debian5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Mosquitto vulnerabilities
vendor_ubuntu·2023-11-21·CVSS 6.5
CVE-2023-0809 [MEDIUM] Mosquitto vulnerabilities
Title: Mosquitto vulnerabilities
Summary: Several security issues were fixed in Mosquitto.
Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain
inputs. If a user or an automated system were provided with a specially crafted
input, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-34431)
Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. If
a user or an automated system were provided with a specially crafted input, a
remote attacker could possibly use this issue to cause an authorisation bypass.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2021-34434)
Zhanxiang Song, Bin Yuan, DeQing Zou, and Hai Jin discovered that Mosquitto
incorrectly han
Debian
CVE-2021-34434: mosquitto - In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plu...
vendor_debian·2021·CVSS 5.3
CVE-2021-34434 [MEDIUM] CVE-2021-34434: mosquitto - In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plu...
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.
Scope: local
bookworm: resolved (fixed in 2.0.11-1.2+deb12u1)
bullseye: resolved (fixed in 2.0.11-1+deb11u1)
forky: resolved (fixed in 2.0.15-1)
sid: resolved (fixed in 2.0.15-1)
trixie: resolved (fixed in 2.0.15-1)
OSV
mosquitto vulnerabilities
osv·2023-11-21·CVSS 6.5
CVE-2021-34431 [MEDIUM] mosquitto vulnerabilities
mosquitto vulnerabilities
Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain
inputs. If a user or an automated system were provided with a specially crafted
input, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-34431)
Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. If
a user or an automated system were provided with a specially crafted input, a
remote attacker could possibly use this issue to cause an authorisation bypass.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2021-34434)
Zhanxiang Song, Bin Yuan, DeQing Zou, and Hai Jin discovered that Mosquitto
incorrectly handled certain inputs. If a user or an automated system were
provide
GHSA
GHSA-cj6r-mprf-8cq9: In Eclipse Mosquitto versions 2
ghsa_unreviewed·2022-05-24
CVE-2021-34434 [MEDIUM] CWE-285 GHSA-cj6r-mprf-8cq9: In Eclipse Mosquitto versions 2
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.
OSV
CVE-2021-34434: In Eclipse Mosquitto versions 2
osv·2021-08-30·CVSS 5.3
CVE-2021-34434 [MEDIUM] CVE-2021-34434: In Eclipse Mosquitto versions 2
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=575324https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4WWGVF5BUFPYPCFUPPP4KRIYI5OTJN2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLUUM52Y6AEICPXPSRRXC6OBY4H5XKW7/https://www.debian.org/security/2023/dsa-5511https://bugs.eclipse.org/bugs/show_bug.cgi?id=575324https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4WWGVF5BUFPYPCFUPPP4KRIYI5OTJN2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLUUM52Y6AEICPXPSRRXC6OBY4H5XKW7/https://www.debian.org/security/2023/dsa-5511
2021-08-30
Published