U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:eclipse:mosquitto:0.8
There are 9 matching records.
Displaying matches 1 through 9.
Vuln ID Summary CVSS Severity
CVE-2023-5632

In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6

Published: October 18, 2023; 5:15:10 AM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-3592

In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.

Published: October 02, 2023; 4:15:10 PM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-0809

In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.

Published: October 02, 2023; 3:15:09 PM -0400
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2021-34432

In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.

Published: July 27, 2021; 12:15:07 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2017-7654

In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker.

Published: June 05, 2018; 4:29:00 PM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2017-7653

The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients.

Published: June 05, 2018; 4:29:00 PM -0400
V3.0: 5.3 MEDIUM
V2.0: 3.5 LOW
CVE-2017-7651

In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.

Published: April 24, 2018; 10:29:00 AM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2017-7650

In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

Published: September 11, 2017; 12:29:00 PM -0400
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2017-9868

In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.

Published: June 25, 2017; 10:29:00 AM -0400
V3.0: 5.5 MEDIUM
V2.0: 2.1 LOW