Lucene search
K
EclipseMosquitto

26 matches found

CVE
CVE
added 2024/10/30 11:41 a.m.363 views

CVE-2024-10525

CVE-2024-10525 concerns Eclipse Mosquitto. A crafted SUBACK packet with no reason codes could cause out-of-bounds memory access in libmosquitto when handling on_subscribe, affecting mosquitto_sub and mosquitto_rr clients. Affected range is from 1.3.2 through 2.0.18 per the CVE summary. Connected ...

9.8CVSS9AI score0.579EPSS
CVE
CVE
added 2023/10/02 6:56 p.m.332 views

CVE-2023-0809

Eclipse Mosquitto CVE-2023-0809 affects Mosquitto 2.0.x up to before 2.0.16, where memory is excessively allocated by malicious initial packets that are not CONNECT packets. Several connected advisories document a memory leak that can lead to broker unresponsiveness (notably CVE-2023-0809 alongsi...

5.8CVSS6AI score0.00608EPSS
CVE
CVE
added 2023/09/01 12:0 a.m.298 views

CVE-2023-28366

CVE-2023-28366 affects the Eclipse Mosquitto broker (versions 1.3.2–2.x prior to 2.0.16). The issue is a memory leak caused by mishandling of EAGAIN from libc send when a client sends many QoS 2 messages with duplicate message IDs and the broker does not respond to PUBREC. This can enable remote ...

7.5CVSS7.1AI score0.01107EPSS
CVE
CVE
added 2019/09/19 1:30 p.m.259 views

CVE-2019-11779

CVE-2019-11779 affects Eclipse Mosquitto versions 1.5.0–1.6.5 (inclusive). A crafted MQTT SUBSCRIBE packet with a topic containing about 65,400 or more '/' characters can trigger a stack overflow in the broker, causing a denial of service. Public references show that the root cause is handling of...

6.5CVSS6.6AI score0.02742EPSS
CVE
CVE
added 2021/07/22 1:45 p.m.236 views

CVE-2021-34431

CVE-2021-34431 affects Eclipse Mosquitto 1.6–2.0.10. The issue is a memory leak in the broker triggered when an authenticated client that previously connected with MQTT v5 sends a crafted CONNECT message, leading to a potential denial of service. The connected documents confirm the vulnerability ...

6.5CVSS6.2AI score0.01113EPSS
CVE
CVE
added 2023/10/02 7:1 p.m.195 views

CVE-2023-3592

Eclipse Mosquitto CVE-2023-3592 affects Mosquitto prior to 2.0.16, where a memory leak occurs when clients send v5 CONNECT packets with a will message containing invalid property types. This memory leak can lead to broker unresponsiveness/DoS. Remediation from related advisories indicates upgradi...

7.5CVSS6.4AI score0.00675EPSS
CVE
CVE
added 2019/09/18 10:25 p.m.183 views

CVE-2019-11778

CVE-2019-11778 affects Eclipse Mosquitto 1.6.0–1.6.4. When an MQTT v5 client connects, and the will delay interval is longer than the session expiry interval, a use-after-free error may occur, potentially causing a crash in some situations. The connected Red Hat/SUSE and OSV entries reiterate the...

5.5CVSS5.5AI score0.00761EPSS
CVE
CVE
added 2019/03/27 5:26 p.m.173 views

CVE-2018-12550

CVE-2018-12550 affects Eclipse Mosquitto 1.0–1.5.5 when an ACL file is configured but empty or only comments/blank lines, causing the broker to treat the file as defined and switch from a default deny to a default allow policy. Public disclosures in connected docs confirm the vulnerability behavi...

8.1CVSS6.9AI score0.01353EPSS
CVE
CVE
added 2019/03/27 5:26 p.m.170 views

CVE-2018-12551

CVE-2018-12551 affects Eclipse Mosquitto 1.0–1.5.5 when a password file is used for authentication: malformed data in the file can be treated as a valid username (e.g., a blank line), allowing bypass of authentication. Other security measures remain unaffected, and users relying on mosquitto_pass...

8.1CVSS7.1AI score0.01475EPSS
CVE
CVE
added 2019/03/27 5:26 p.m.163 views

CVE-2018-12546

The CVE describes a vulnerability in Eclipse Mosquitto where, for versions 1.0–1.5.5, a retained message published to a topic remains delivered to future subscribers after that client’s access to the topic is revoked, potentially enabling effects not allowed by normal access controls. This is a s...

6.5CVSS6.4AI score0.00817EPSS
CVE
CVE
added 2024/10/11 3:18 p.m.140 views

CVE-2024-8376

CVE-2024-8376 affects Eclipse Mosquitto up to version 2.0.18a, where an attacker can trigger memory leaking, segmentation fault or heap-use-after-free by sending crafted sequences of MQTT packets (CONNECT, DISCONNECT, SUBSCRIBE, UNSUBSCRIBE, PUBLISH). Public documents consistently cite these symp...

7.5CVSS7.5AI score0.00748EPSS
CVE
CVE
added 2021/08/30 12:0 a.m.133 views

CVE-2021-34434

In Eclipse Mosquitto, CVE-2021-34434 affects versions 2.0 to 2.0.11 when using the dynamic security plugin: if a client’s ability to subscribe is revoked while a durable client is offline, existing subscriptions for that client are not revoked. Multiple connected advisories confirm the issue and ...

5.3CVSS5.3AI score0.01367EPSS
CVE
CVE
added 2017/06/25 2:0 p.m.115 views

CVE-2017-9868

CVE-2017-9868 affects Mosquitto

5.5CVSS5.3AI score0.00361EPSS
CVE
CVE
added 2018/04/24 2:0 p.m.114 views

CVE-2017-7651

CVE-2017-7651 affects Eclipse Mosquitto 1.4.14, where an unauthenticated attacker can trigger a denial-of-service by exhausting memory via crafted CONNECT packets during the MQTT connection phase, potentially impacting the broker. Connected sources corroborate remote DoS risk and reference patche...

7.5CVSS7.2AI score0.05294EPSS
CVE
CVE
added 2021/07/27 3:25 p.m.114 views

CVE-2021-34432

Eclipse Mosquitto vulnerability CVE-2021-34432 affects versions 2.07 and earlier, where a PUBLISH packet with a zero-length topic can crash the server. This can enable a denial-of-service condition as described in multiple sources, with IBM IBM App Connect Enterprise/Integration Bus noting the im...

7.5CVSS7.1AI score0.01247EPSS
CVE
CVE
added 2017/09/11 4:0 p.m.110 views

CVE-2017-7650

CVE-2017-7650 affects Eclipse Mosquitto up to version 1.4.11 (before 1.4.12). The vulnerability arises from pattern-based ACLs that can be bypassed when clients set their username or client id to '#' or '+', allowing locally or remotely connected clients to access MQTT topics they should not be a...

6.5CVSS6.2AI score0.02472EPSS
CVE
CVE
added 2018/06/05 8:0 p.m.107 views

CVE-2017-7653

The CVE-2017-7653 issue affects the Eclipse Mosquitto broker up to version 1.4.15, where the broker does not reject strings that are not valid UTF-8. A malicious client can trigger a denial of service by sending an invalid UTF-8 topic string, causing other clients that reject invalid UTF-8 to dis...

5.3CVSS5.9AI score0.01454EPSS
CVE
CVE
added 2018/04/25 1:0 p.m.96 views

CVE-2017-7652

CVE-2017-7652 affects Eclipse Mosquitto (notably around version 1.4.14) where reloading configuration on SIGHUP can exhaust file descriptors/sockets, preventing opening the config file. Publicly documented impact includes potential configuration reload failures due to FD exhaustion. Remediation g...

7.5CVSS7.2AI score0.01679EPSS
CVE
CVE
added 2021/12/01 12:0 a.m.95 views

CVE-2021-41039

CVE-2021-41039 affects Eclipse Mosquitto versions 1.6–2.0.11, where an MQTT v5 client sending a large number of user-property properties can cause excessive CPU usage, potentially leading to denial of service. Public sources confirm the vulnerability and note fixes in later package updates: Debia...

7.5CVSS7.2AI score0.0126EPSS
CVE
CVE
added 2018/06/05 8:0 p.m.87 views

CVE-2017-7654

CVE-2017-7654 affects the Mosquitto MQTT broker (up to version 1.4.15). The issue is a memory-leak in the broker that can be triggered by unauthenticated clients sending crafted CONNECT packets, leading to a denial of service. Affected: Eclipse Mosquitto 1.4.15 and earlier. Impact: DoS of the bro...

7.5CVSS7.1AI score0.02173EPSS
CVE
CVE
added 2018/11/15 3:0 p.m.84 views

CVE-2018-12543

CVE-2018-12543 affects Eclipse Mosquitto versions 1.5 through 1.5.2. When a message is published with a topic starting with ‘$’ but not ‘$SYS’ (e.g., ‘$test/test’), an assertion is triggered and Mosquitto exits. The issue is triggered during processing of such topics and is resolved in the 1.5.3 ...

7.5CVSS7.2AI score0.36013EPSS
CVE
CVE
added 2019/03/27 7:20 p.m.83 views

CVE-2017-7655

CVE-2017-7655 affects the Eclipse Mosquitto broker/library (versions 1.0–1.4.15). The root cause is a Null Dereference in the Mosquitto library, which could cause crashes for applications using the library and lead to a denial of service. Public advisories note remediation via upgrading Mosquitto...

7.5CVSS7.3AI score0.01885EPSS
CVE
CVE
added 2024/10/30 11:45 a.m.82 views

CVE-2024-3935

CVE-2024-3935 affects Eclipse Mosquitto: 2.0.0–2.0.18 expose a double-free crash when a broker with an outgoing bridge uses topic remapping and receives a crafted PUBLISH from a remote connection. Connected advisories confirm the issue across multiple distributions and show remediation through up...

6.5CVSS7.4AI score0.00761EPSS
CVE
CVE
added 2021/04/07 6:50 p.m.80 views

CVE-2021-28166

Eclipse Mosquitto broker (versions 2.0.0–2.0.9) is vulnerable to a NULL pointer dereference when an authenticated client that previously connected with MQTT v5 sends a crafted CONNACK message. Affected component: broker handling CONNACK under MQTT v5. Impact as per sources: availability impact HI...

6.5CVSS6.2AI score0.00968EPSS
CVE
CVE
added 2023/10/18 8:34 a.m.72 views

CVE-2023-5632

Eclipse Mosquitto contains a denial-of-service issue (CVE-2023-5632): when establishing a connection to the broker without sending data, an EPOLLOUT event is added, causing excessive CPU usage. Affected versions are Mosquitto before and including 2.0.5; the issue is fixed in 2.0.6. Several feeds ...

7.5CVSS7.1AI score0.00689EPSS
CVE
CVE
added 2018/12/13 8:0 p.m.53 views

CVE-2018-20145

CVE-2018-20145: Eclipse Mosquitto 1.5.x before 1.5.5 is affected. When per_listener_settings is true and the default listener is used with an acl_file configured, the ACL file is ignored, constituting an ACL bypass risk. Affected software: mosquitto 1.5.x prior to 1.5.5. Root cause: default-liste...

7.5CVSS7.3AI score0.01645EPSS