Product:

Mosquitto

(Eclipse)
Repositories https://github.com/eclipse/mosquitto
#Vulnerabilities 24
Date Id Summary Products Score Patch Annotated
2024-10-11 CVE-2024-8376 In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets. Mosquitto 7.5
2023-09-01 CVE-2023-28366 The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function. Mosquitto 7.5
2023-10-02 CVE-2023-0809 In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets. Mosquitto 5.3
2023-10-02 CVE-2023-3592 In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types. Mosquitto 7.5
2019-09-19 CVE-2019-11779 In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur. Ubuntu_linux, Debian_linux, Mosquitto, Fedora, Backports_sle, Leap 6.5
2021-08-30 CVE-2021-34434 In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. Mosquitto, Fedora 5.3
2023-10-18 CVE-2023-5632 In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6 Mosquitto 7.5
2021-12-01 CVE-2021-41039 In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service. Mosquitto 7.5
2019-03-27 CVE-2017-7655 In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library. Debian_linux, Mosquitto 7.5
2021-07-27 CVE-2021-34432 In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0. Mosquitto 7.5