Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mosquitto
(Eclipse)| Repositories | https://github.com/eclipse/mosquitto |
| #Vulnerabilities | 23 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-09-11 | CVE-2017-7650 | In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto. | Debian_linux, Mosquitto | 6.5 | ||
| 2018-06-05 | CVE-2017-7653 | The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients. | Debian_linux, Mosquitto | 5.3 | ||
| 2017-06-25 | CVE-2017-9868 | In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information. | Debian_linux, Mosquitto | 5.5 |