CVE-2021-41039

Debian Security Advisory 5511-1

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.

En las versiones 1.6 a 2.0.11 de Eclipse Mosquitto, un cliente MQTT v5 que se conecte con un gran número de propiedades de usuario podría causar un uso excesivo de la CPU, conllevando a una pérdida de rendimiento y una posible denegación de servicio

Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain inputs. If a user or an automated system were provided with a specially crafted input, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS. Zhanxiang Song discovered that Mosquitto incorrectly handled certain inputs. If a user or an automated system were provided with a specially crafted input, a remote attacker could possibly use this issue to cause an authorisation bypass. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04.

*Credits: This issue was discovered and reported by Zhanxiang Song, Bin Yuan, DeQing Zou, Hai Jin, Huazhong Univ. of Sci. & Tech.; Luyi Xing, IU; Yan Jia, Nankai University

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-09-13 CVE Reserved
2021-12-01 CVE Published
2024-08-04 CVE Updated
2024-08-04 First Exploit
2025-04-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-1050: Excessive Platform Resource Consumption within a Loop

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314	2024-08-04

URL	Date	SRC

URL	Date	SRC
https://www.debian.org/security/2023/dsa-5511	2023-10-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eclipse Search vendor "Eclipse"		Mosquitto Search vendor "Eclipse" for product "Mosquitto"				>= 1.6 <= 2.0.11 Search vendor "Eclipse" for product "Mosquitto" and version " >= 1.6 <= 2.0.11"		-		Affected