Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
mosquitto vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv3
CVE-2023-3592
In Mosquitto prior to 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
Eclipse Mosquitto
5.3
CVSSv3
CVE-2023-0809
In Mosquitto prior to 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
Eclipse Mosquitto
5.4
CVSSv3
CVE-2019-11778
If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free erro...
Eclipse Mosquitto
5.5
CVSSv3
CVE-2017-9868
In Mosquitto up to and including 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.
Eclipse Mosquitto
Debian Debian Linux 8.0
6.5
CVSSv3
CVE-2017-7650
In Mosquitto prior to 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present ...
Eclipse Mosquitto
Debian Debian Linux 8.0
5.3
CVSSv3
CVE-2021-34434
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.
Eclipse Mosquitto
Fedoraproject Fedora 34
Fedoraproject Fedora 35
5.3
CVSSv3
CVE-2017-7653
The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and s...
Eclipse Mosquitto
Debian Debian Linux 8.0
Debian Debian Linux 9.0
7.5
CVSSv3
CVE-2017-7655
In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library.
Eclipse Mosquitto
Debian Debian Linux 8.0
Debian Debian Linux 9.0
7.5
CVSSv3
CVE-2017-7654
In Eclipse Mosquitto 1.4.15 and previous versions, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker.
Eclipse Mosquitto
Debian Debian Linux 9.0
Debian Debian Linux 8.0
7.5
CVSSv3
CVE-2017-7651
In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.
Eclipse Mosquitto
Debian Debian Linux 8.0
Debian Debian Linux 7.0
Debian Debian Linux 9.0
2 Github repositories
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
SSTI
CVE-2024-35863
CVE-2024-35910
man-in-the-middle
CVE-2024-35912
CVE-2024-25742
LFI
CVE-2024-32002
CVE-2024-22120
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
NEXT »