mosquitto

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description An Open Source MQTT Broker
Version 2.0.13-2 [community]

Open

Group Affected Fixed Severity Status Ticket
AVG-2332 2.0.13-2 Medium Vulnerable
Issue Group Severity Remote Type Description
CVE-2021-34434 AVG-2332 Medium Yes Access restriction bypass
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked...

Resolved

Group Affected Fixed Severity Status Ticket
AVG-1793 2.0.8-1 2.0.10-1 Medium Fixed
AVG-772 1.5.1-1 1.5.3-1 Medium Fixed
AVG-353 1.4.12-1 1.4.14-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2021-28166 AVG-1793 Medium Yes Denial of service
In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL...
CVE-2018-12543 AVG-772 Medium Yes Denial of service
If a message is sent to Mosquitto before 1.5.3 with a topic that begins with $, but is not $SYS, then an assert that should be unreachable is triggered and...
CVE-2017-9868 AVG-353 Medium No Information disclosure
In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.

Advisories

Date Advisory Group Severity Type
01 Oct 2018 ASA-201810-1 AVG-772 Medium denial of service
16 Jul 2017 ASA-201707-16 AVG-353 Medium information disclosure