mosquitto

Link	package \| bugs open \| bugs closed \| Wiki \| GitHub \| web search
Description	An Open Source MQTT Broker
Version	2.0.18-3 [extra]

Resolved

Group	Affected	Fixed	Severity	Status	Ticket
AVG-2332	2.0.11-1	2.0.12-1	Medium	Fixed
AVG-1793	2.0.8-1	2.0.10-1	Medium	Fixed
AVG-772	1.5.1-1	1.5.3-1	Medium	Fixed
AVG-353	1.4.12-1	1.4.14-1	Medium	Fixed

Issue	Group	Severity	Remote	Type	Description
CVE-2021-34434	AVG-2332	Medium	Yes	Access restriction bypass	In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked...
CVE-2021-28166	AVG-1793	Medium	Yes	Denial of service	In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL...
CVE-2018-12543	AVG-772	Medium	Yes	Denial of service	If a message is sent to Mosquitto before 1.5.3 with a topic that begins with $, but is not $SYS, then an assert that should be unreachable is triggered and...
CVE-2017-9868	AVG-353	Medium	No	Information disclosure	In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.

Advisories

Date	Advisory	Group	Severity	Type
01 Oct 2018	ASA-201810-1	AVG-772	Medium	denial of service
16 Jul 2017	ASA-201707-16	AVG-353	Medium	information disclosure