Latest eclipse mosquitto Vulnerabilities

CVE-2023-5632
In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. T...
Eclipse Mosquitto<2.0.6
CVE-2023-3592
In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
<2.0.16
Eclipse Mosquitto<2.0.16
debian/mosquitto<=2.0.11-1<=2.0.11-1.2
CVE-2023-0809
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
debian/mosquitto<=2.0.11-1<=2.0.11-1.2
Eclipse Mosquitto<2.0.16
redhat/mosquitto<2.0.16
CVE-2023-28366
The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond t...
>=1.3.2<2.0.16
Eclipse Mosquitto>=1.3.2<2.0.16
debian/mosquitto<=1.5.7-1+deb10u1<=2.0.11-1<=2.0.11-1.2
CVE-2021-41039
In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possi...
Eclipse Mosquitto>=1.6<=2.0.11
debian/mosquitto<=2.0.11-1
CVE-2021-34434
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then exis...
Eclipse Mosquitto>=2.0.0<=2.0.11
Fedoraproject Fedora=34
Fedoraproject Fedora=35
debian/mosquitto<=2.0.11-1<=2.0.11-1.2
CVE-2021-34432
In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.
Eclipse Mosquitto<=2.0.7
CVE-2021-34431
In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to pr...
Eclipse Mosquitto>=1.6<=2.0.10
CVE-2021-28166
In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur.
Eclipse Mosquitto>=2.0.0<=2.0.9
CVE-2019-11778
If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay int...
Eclipse Mosquitto>=1.6<1.6.5
CVE-2019-11779
In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierar...
debian/mosquitto<=1.6.4-1<=1.5.7-1
Eclipse Mosquitto>=1.5<1.5.9
Eclipse Mosquitto>=1.6<1.6.6
Canonical Ubuntu Linux=19.04
openSUSE Backports SLE=15.0-sp1
openSUSE Leap=15.1
and 8 more
CVE-2017-7655
In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library.
Eclipse Mosquitto>=1.0<=1.4.15
Debian Debian Linux=8.0
Debian Debian Linux=9.0
CVE-2018-12546
In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to ...
Eclipse Mosquitto>=1.0<=1.5.5
CVE-2018-12550
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though...
Eclipse Mosquitto>=1.0<=1.5.5
CVE-2018-20145
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then t...
Eclipse Mosquitto>=1.5<1.5.5
CVE-2018-12543
In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that s...
Eclipse Mosquitto>=1.5.0<=1.5.2
CVE-2017-7653
The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect them...
Eclipse Mosquitto<=1.4.15
Debian Debian Linux=8.0
Debian Debian Linux=9.0
ubuntu/mosquitto<1.4.15-2ubuntu0.18.04.3
ubuntu/mosquitto<1.4.15-2ubuntu0.18.10.3
ubuntu/mosquitto<1.5.4-1
and 2 more
CVE-2017-7654
In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of servi...
Eclipse Mosquitto<=1.4.15
Debian Debian Linux=8.0
Debian Debian Linux=9.0
ubuntu/mosquitto<1.4.15-2ubuntu0.18.04.3
ubuntu/mosquitto<1.4.15-2ubuntu0.18.10.3
ubuntu/mosquitto<1.5.4-1
and 2 more
CVE-2017-7652
In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lot...
Eclipse Mosquitto>=1.0<=1.4.14
Debian Debian Linux=7.0
Debian Debian Linux=8.0
Debian Debian Linux=9.0
debian/mosquitto
CVE-2017-7651
In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur i...
Eclipse Mosquitto<=1.4.14
Debian Debian Linux=7.0
Debian Debian Linux=8.0
Debian Debian Linux=9.0
debian/mosquitto

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203