CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7653 – Ubuntu Security Notice USN-4023-1
https://notcve.org/view.php?id=CVE-2017-7653
05 Jun 2018 — The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients. El broker Eclipse Mosquitto hasta la versión 1.4.15 no rechaza strings que no son UTF-8 válidos. Un cliente malicioso podría provocar que otros clientes que sí rechazan strings UTF-8 no v... • http://docs.oasis-open.org/mqtt/disallowed-chars/v1.0/disallowed-chars-v1.0.pdf • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 0CVE-2017-7654 – Debian Security Advisory 4325-1
https://notcve.org/view.php?id=CVE-2017-7654
05 Jun 2018 — In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker. En Eclipse Mosquitto en versiones 1.4.15 y anteriores, se ha descubierto una vulnerabilidad de fuga de memoria en el broker Mosquitto. Los clientes no autenticados pueden enviar paquetes CONNECT manipulados que podrían provocar una denegación de servicio (DoS) en el broker Mosquitto.... • https://bugs.eclipse.org/bugs/show_bug.cgi?id=533493 • CWE-401: Missing Release of Memory after Effective Lifetime CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7652 – Debian Security Advisory 4325-1
https://notcve.org/view.php?id=CVE-2017-7652
25 Apr 2018 — In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail. En Eclipse Mosquitto, si se establece una instancia de Mosquitto ejecutándose con un archivo de configuración, el envío de ... • https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102 • CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 7.5EPSS: 21%CPEs: 4EXPL: 3CVE-2017-7651 – Debian Security Advisory 4325-1
https://notcve.org/view.php?id=CVE-2017-7651
24 Apr 2018 — In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol. En Eclipse Mosquitto 1.4.14, un usuario puede cerrar el servidor Mosquitto simplemente llenando la memoria RAM con muchas conexiones con una carga útil grande. Esto puede hacerse sin autenticaciones si ocurre en la fase de conexión del protocolo MQTT. It was discovered that ... • https://github.com/St3v3nsS/CVE-2017-7651 • CWE-400: Uncontrolled Resource Consumption CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-9868
https://notcve.org/view.php?id=CVE-2017-9868
25 Jun 2017 — In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information. En Mosquitto hasta la versión 1.4.12, mosquitto.db (también conocido como archivo de persistencia) es legible por todo el mundo, lo que permite a los usuarios locales obtener información sensible de los topic's MQTT. • https://github.com/eclipse/mosquitto/issues/468 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 1%CPEs: 2EXPL: 1CVE-2017-7650 – Debian Security Advisory 3865-1
https://notcve.org/view.php?id=CVE-2017-7650
30 May 2017 — In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto. En Mosquitto en versiones anteriores a la 1.4.12, las listas de control de acceso (ACL) basadas en patrones pueden ser omitidas por clientes que establecen su ID de nombre de usuario/cli... • http://mosquitto.org/2017/05/security-advisory-cve-2017-7650 • CWE-287: Improper Authentication •