threat
engine
.sh
Back
·
··:··
Home
/
Product
/
eclipse mosquitto
Product
eclipse mosquitto
26 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2024-3935
>= 2.0.0 and < 2.0.19
In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connecti
6.5
MEDIUM
CVE-2024-10525
>= 1.3.2 and < 2.0.19
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes,
9.8
CRITICAL
CVE-2024-8376
< 2.0.19
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by s
7.5
HIGH
CVE-2023-5632
all versions
In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the
7.5
HIGH
CVE-2023-3592
< 2.0.16
In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid pr
5.8
MEDIUM
CVE-2023-0809
< 2.0.16
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
5.8
MEDIUM
CVE-2023-28366
>= 1.3.2 and < 2.0.16
The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends
7.5
HIGH
CVE-2021-41039
>= 1.6 and <= 2.0.11
In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could
7.5
HIGH
CVE-2021-34434
>= 2.0.0 and <= 2.0.11
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscript
5.3
MEDIUM
CVE-2021-34432
<= 2.0.7
In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic leng
7.5
HIGH
CVE-2021-34431
>= 1.6 and <= 2.0.10
In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT mess
6.5
MEDIUM
CVE-2021-28166
>= 2.0.0 and <= 2.0.9
In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK mes
6.5
MEDIUM
CVE-2019-11779
>= 1.5 and < 1.5.9
In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consist
6.5
MEDIUM
CVE-2019-11778
>= 1.6 and < 1.6.5
If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will
5.4
MEDIUM
CVE-2017-7655
>= 1.0 and <= 1.4.15
In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could l
7.5
HIGH
CVE-2018-12551
>= 1.0 and <= 1.5.5
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed dat
8.1
HIGH
CVE-2018-12550
>= 1.0 and <= 1.5.5
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains
8.1
HIGH
CVE-2018-12546
>= 1.0 and <= 1.5.5
In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access t
6.5
MEDIUM
CVE-2018-20145
>= 1.5 and < 1.5.5
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default liste
7.5
HIGH
CVE-2018-12543
>= 1.5.0 and <= 1.5.2
In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but
7.5
HIGH
CVE-2017-7654
<= 1.4.15
In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated client
7.5
HIGH
CVE-2017-7653
<= 1.4.15
The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause
5.3
MEDIUM
CVE-2017-7652
>= 1.0 and <= 1.4.14
In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server
7.5
HIGH
CVE-2017-7651
<= 1.4.14
In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections w
7.5
HIGH
CVE-2017-7650
< 1.4.12
In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This al
6.5
MEDIUM
CVE-2017-9868
<= 1.4.12
In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensiti
5.5
MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin