CVE-2021-34431
First published: Thu Jul 22 2021(Updated: )
In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Eclipse Mosquitto | >=1.6<=2.0.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2021-34431.
What is the title of this vulnerability?
The title of this vulnerability is 'In Eclipse Mosquitto version 1.6 to 2.0.10 if an authenticated client that had connected with MQTT v…'.
What is the description of this vulnerability?
The description of this vulnerability is that if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker in Eclipse Mosquitto version 1.6 to 2.0.10, a memory leak would occur, which could be used to provide a DoS attack against the broker.
What is the severity of CVE-2021-34431?
The severity of CVE-2021-34431 is medium with a CVSS score of 6.5.
How can I fix CVE-2021-34431?
To fix CVE-2021-34431, you should update your Eclipse Mosquitto software to version 2.0.11 or later.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/references
- agent/softwarecombine
- agent/author
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- vendor/eclipse
- canonical/eclipse mosquitto
- version/eclipse mosquitto/1.6
- version/eclipse mosquitto/2.0.10