National Vulnerability Database

National Vulnerability Database

National Vulnerability

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): MQTT
  • Search Type: Search All
There are 41 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity

In RIOT 2019.07, the MQTT-SN implementation (asymcute) mishandles errors occurring during a read operation on a UDP socket. The receive loop ends. This allows an attacker (via a large packet) to prevent a RIOT MQTT-SN client from working until the device is restarted.

Published: October 09, 2019; 01:15:10 PM -04:00
(not available)

Amazon FreeRTOS up to and including v1.4.8 for AWS lacks length checking in prvProcessReceivedPublish, resulting in leakage of arbitrary memory contents on a device to an attacker. An attacker sends a malformed MQTT publish packet, and waits for an MQTTACK packet containing the leaked data.

Published: October 07, 2019; 06:15:10 PM -04:00
(not available)

RIOT 2019.07 contains a NULL pointer dereference in the MQTT-SN implementation (asymcute), potentially allowing an attacker to crash a network node running RIOT. This requires spoofing an MQTT server response. To do so, the attacker needs to know the MQTT MsgID of a pending MQTT protocol message and the ephemeral port used by RIOT's MQTT implementation. Additionally, the server IP address is required for spoofing the packet.

Published: September 24, 2019; 02:15:11 PM -04:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM

In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.

Published: September 19, 2019; 10:15:10 AM -04:00
V3.1: 6.5 MEDIUM
    V2: 4.0 MEDIUM

If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations.

Published: September 18, 2019; 07:15:10 PM -04:00
V3.1: 5.4 MEDIUM
    V2: 5.5 MEDIUM

In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.

Published: September 11, 2019; 02:15:10 PM -04:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM

A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information.

Published: August 22, 2019; 10:15:13 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM

An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.

Published: June 24, 2019; 07:15:12 PM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH

In Bevywise MQTTRoute 1.1 build 1018-002, a connect packet combined with a malformed unsubscribe request packet can be used to cause a Denial of Service attack against the broker.

Published: June 10, 2019; 01:29:03 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM

An issue was discovered in Hybrid Group Gobot before 1.13.0. The mqtt subsystem skips verification of root CA certificates by default.

Published: May 31, 2019; 07:29:02 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM

A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module versions < 3.5.1, 4.0.0 - 4.1.3, 5.0.0 - 5.6.1, 6.0.0 - 6.1.2 for decoding.

Published: May 06, 2019; 01:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM

In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation.

Published: April 09, 2019; 12:29:01 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM

In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

Published: March 28, 2019; 06:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM

An issue was discovered in the MQTT input plugin in Fluent Bit through 1.0.4. When this plugin acts as an MQTT broker (server), it mishandles incoming network messages. After processing a crafted packet, the plugin's mqtt_packet_drop function (in /plugins/in_mqtt/mqtt_prot.c) executes the memmove() function with a negative size parameter. That leads to a crash of the whole Fluent Bit server via a SIGSEGV signal.

Published: March 13, 2019; 03:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM

azure-umqtt-c (available through GitHub prior to 2017 October 6) allows remote attackers to cause a denial of service via unspecified vectors.

Published: March 12, 2019; 06:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM

Improper length check while processing an MQTT message can lead to heap overflow in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 835, SDA660, SDM630, SDM660

Published: January 18, 2019; 05:29:00 PM -05:00
V3.0: 8.8 HIGH
    V2: 8.3 HIGH

While processing a packet decode request in MQTT, Race condition can occur leading to an out-of-bounds access in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, SD 210/SD 212/SD 205, SD 427, SD 435, SD 450, SD 625, SD 636, SD 835, SDA660, SDM630, SDM660, Snapdragon_High_Med_2016

Published: January 18, 2019; 05:29:00 PM -05:00
V3.0: 7.5 HIGH
    V2: 7.9 HIGH

Improper check while accessing the local memory stack on MQTT connection request can lead to buffer overflow in snapdragon wear in versions MDM9206, MDM9607

Published: January 18, 2019; 05:29:00 PM -05:00
V3.0: 8.8 HIGH
    V2: 8.3 HIGH

In Cesanta Mongoose 6.13, a SIGSEGV exists in the mongoose.c mg_mqtt_add_session() function.

Published: November 27, 2018; 02:29:00 AM -05:00
V3.0: 6.5 MEDIUM
    V2: 4.3 MEDIUM

An issue was discovered in the MQTT server in Contiki-NG before 4.2. The function parse_publish_vhdr() that parses MQTT PUBLISH messages with a variable length header uses memcpy to input data into a fixed size buffer. The allocated buffer can fit only MQTT_MAX_TOPIC_LENGTH (default 64) bytes, and a length check is missing. This could lead to Remote Code Execution via a stack-smashing attack (overwriting the function return address). Contiki-NG does not separate the MQTT server from other servers and the OS modules, so access to all memory regions is possible.

Published: November 21, 2018; 03:29:00 PM -05:00
V3.0: 10.0 CRITICAL
    V2: 10.0 HIGH