Eclipse Mosquitto vulnerabilities

CVE-2017-7654 [HIGH] CWE-401 CVE-2017-7654: In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker.

CVE-2017-7653 [MEDIUM] CWE-20 CVE-2017-7653: The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients.

CVE-2017-7652 [HIGH] CWE-789 CVE-2017-7652: In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening t

CVE-2017-7651 [HIGH] CWE-789 CVE-2017-7651: In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memo In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.

CVE-2017-7650 [MEDIUM] CWE-287 CVE-2017-7650: In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/cl In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

CVE-2017-9868 [MEDIUM] CWE-200 CVE-2017-9868: In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.