Eclipse Mosquitto 0.3

CPE Details

Eclipse Mosquitto 0.3
eclipse
mosquitto
0.3
2018-07-17
15h42 +00:00
2018-07-17
15h42 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:eclipse:mosquitto:0.3:*:*:*:*:*:*:*

Informations

Vendor

eclipse

Product

mosquitto

Version

0.3

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2024-8376 2024-10-11 15h18 +00:00 In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
7.2
High
CVE-2023-5632 2023-10-18 08h34 +00:00 In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6
7.5
High
CVE-2023-3592 2023-10-02 19h01 +00:00 In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
7.5
High
CVE-2023-0809 2023-10-02 18h56 +00:00 In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
5.8
Medium
CVE-2021-34432 2021-07-27 13h25 +00:00 In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.
7.5
High
CVE-2017-7653 2018-06-05 18h00 +00:00 The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients.
5.3
Medium
CVE-2017-7654 2018-06-05 18h00 +00:00 In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker.
7.5
High
CVE-2017-7651 2018-04-24 12h00 +00:00 In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.
7.5
High
CVE-2017-7650 2017-09-11 16h00 +00:00 In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
6.5
Medium
CVE-2017-9868 2017-06-25 12h00 +00:00 In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.
5.5
Medium
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.