CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-12551 – Debian Security Advisory 4388-1
https://notcve.org/view.php?id=CVE-2018-12551
11 Feb 2019 — When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=543401 • CWE-287: Improper Authentication CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20145
https://notcve.org/view.php?id=CVE-2018-20145
13 Dec 2018 — Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored. Eclipse Mosquitto en versiones 1.5.x anteriores a la 1.5.5 permite la omisión de las listas de control de acceso: si la opción per_listener_settings está establecida como True, el escuchador por defecto se está empleando y el escuchador por defecto especifica un acl_file, el archi... • https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 0CVE-2018-12543
https://notcve.org/view.php?id=CVE-2018-12543
15 Nov 2018 — In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit. En Eclipse Mosquitto, de la versión 1.5 a la 1.5.2 inclusive, si se publica un mensaje en Mosquitto con un tema que empieza por $, pero que no es $SYS, e.g. $test/test, se desencadena una aserción que, de otra forma, no debería ser alcanzable y Mosquitto... • https://bugs.eclipse.org/bugs/show_bug.cgi?id=539295 • CWE-20: Improper Input Validation CWE-617: Reachable Assertion •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7653 – Ubuntu Security Notice USN-4023-1
https://notcve.org/view.php?id=CVE-2017-7653
05 Jun 2018 — The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients. El broker Eclipse Mosquitto hasta la versión 1.4.15 no rechaza strings que no son UTF-8 válidos. Un cliente malicioso podría provocar que otros clientes que sí rechazan strings UTF-8 no v... • http://docs.oasis-open.org/mqtt/disallowed-chars/v1.0/disallowed-chars-v1.0.pdf • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 0CVE-2017-7654 – Debian Security Advisory 4325-1
https://notcve.org/view.php?id=CVE-2017-7654
05 Jun 2018 — In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker. En Eclipse Mosquitto en versiones 1.4.15 y anteriores, se ha descubierto una vulnerabilidad de fuga de memoria en el broker Mosquitto. Los clientes no autenticados pueden enviar paquetes CONNECT manipulados que podrían provocar una denegación de servicio (DoS) en el broker Mosquitto.... • https://bugs.eclipse.org/bugs/show_bug.cgi?id=533493 • CWE-401: Missing Release of Memory after Effective Lifetime CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7652 – Debian Security Advisory 4325-1
https://notcve.org/view.php?id=CVE-2017-7652
25 Apr 2018 — In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail. En Eclipse Mosquitto, si se establece una instancia de Mosquitto ejecutándose con un archivo de configuración, el envío de ... • https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102 • CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 7.5EPSS: 21%CPEs: 4EXPL: 3CVE-2017-7651 – Debian Security Advisory 4325-1
https://notcve.org/view.php?id=CVE-2017-7651
24 Apr 2018 — In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol. En Eclipse Mosquitto 1.4.14, un usuario puede cerrar el servidor Mosquitto simplemente llenando la memoria RAM con muchas conexiones con una carga útil grande. Esto puede hacerse sin autenticaciones si ocurre en la fase de conexión del protocolo MQTT. It was discovered that ... • https://github.com/St3v3nsS/CVE-2017-7651 • CWE-400: Uncontrolled Resource Consumption CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-9868
https://notcve.org/view.php?id=CVE-2017-9868
25 Jun 2017 — In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information. En Mosquitto hasta la versión 1.4.12, mosquitto.db (también conocido como archivo de persistencia) es legible por todo el mundo, lo que permite a los usuarios locales obtener información sensible de los topic's MQTT. • https://github.com/eclipse/mosquitto/issues/468 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 1%CPEs: 2EXPL: 1CVE-2017-7650 – Debian Security Advisory 3865-1
https://notcve.org/view.php?id=CVE-2017-7650
30 May 2017 — In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto. En Mosquitto en versiones anteriores a la 1.4.12, las listas de control de acceso (ACL) basadas en patrones pueden ser omitidas por clientes que establecen su ID de nombre de usuario/cli... • http://mosquitto.org/2017/05/security-advisory-cve-2017-7650 • CWE-287: Improper Authentication •