mosquitto
| Link | package | bugs open | bugs closed | Wiki | GitHub | web search |
| Description | An Open Source MQTT Broker |
| Version | 2.0.13-2 [community] |
Open
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-2332 | 2.0.13-2 | Medium | Vulnerable |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2021-34434 | AVG-2332 | Medium | Yes | Access restriction bypass | In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked... |
Resolved
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-1793 | 2.0.8-1 | 2.0.10-1 | Medium | Fixed | |
| AVG-772 | 1.5.1-1 | 1.5.3-1 | Medium | Fixed | |
| AVG-353 | 1.4.12-1 | 1.4.14-1 | Medium | Fixed |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2021-28166 | AVG-1793 | Medium | Yes | Denial of service | In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL... |
| CVE-2018-12543 | AVG-772 | Medium | Yes | Denial of service | If a message is sent to Mosquitto before 1.5.3 with a topic that begins with $, but is not $SYS, then an assert that should be unreachable is triggered and... |
| CVE-2017-9868 | AVG-353 | Medium | No | Information disclosure | In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information. |
Advisories
| Date | Advisory | Group | Severity | Type |
|---|---|---|---|---|
| 01 Oct 2018 | ASA-201810-1 | AVG-772 | Medium | denial of service |
| 16 Jul 2017 | ASA-201707-16 | AVG-353 | Medium | information disclosure |