Eclipse Mosquitto vulnerabilities
26 known vulnerabilities affecting eclipse/mosquitto.
Total CVEs
26
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH14MEDIUM11
Vulnerabilities
Page 2 of 2
CVE-2021-34431P4MEDIUMCVSS 6.5≥ 1.6, ≤ 2.0.102021-07-22
CVE-2021-34431 [MEDIUM] CWE-401 CVE-2021-34431: In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT
In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker.
nvdosv
CVE-2021-34434P4MEDIUMCVSS 5.3≥ 2.0.0, ≤ 2.0.112021-08-30
CVE-2021-34434 [MEDIUM] CWE-285 CVE-2021-34434: In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.
nvdosv
CVE-2023-0809P4MEDIUMCVSS 5.3fixed in 2.0.162023-10-02
CVE-2023-0809 [MEDIUM] CWE-789 CVE-2023-0809: In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that ar
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
nvdosv
CVE-2019-11778P4MEDIUMCVSS 5.4≥ 1.6, < 1.6.52019-09-18
CVE-2019-11778 [MEDIUM] CWE-416 CVE-2019-11778: If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last wi
If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations.
nvdosv
CVE-2017-7653P4MEDIUMCVSS 5.3≤ 1.4.152018-06-05
CVE-2017-7653 [MEDIUM] CWE-20 CVE-2017-7653: The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8.
The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients.
nvdosv
CVE-2017-9868P4MEDIUMCVSS 5.5≤ 1.4.122017-06-25
CVE-2017-9868 [MEDIUM] CWE-200 CVE-2017-9868: In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows
In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.
nvdosv
← Previous2 / 2