📦

mosquitto

Vendor: eclipse

Login to add this product to WatchStack
Actively Exploited 0 CISA KEV List
PoC / Exploits 1 Code Available
Total RCEs 4 Remote Access
Total CVEs 58 Total Indexed
Avg. EPSS 2.81% Exploit Prob.
Latest CVE CVE-2024-3935 Oct 30

Security Vulnerability Index

Page 3 / 6
7.5 CVSS
CVE-2017-7654
RCE

In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker.

EPSS: 1.45%
5.3 CVSS
CVE-2017-7653

The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients.

EPSS: 0.93%
7.5 CVSS
CVE-2017-7652
RCE

In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.

EPSS: 1.00%
7.5 CVSS
CVE-2017-7651
Exploit Found

In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.

EPSS: 23.13%
6.5 CVSS
CVE-2017-7650

In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

EPSS: 3.99%
5.5 CVSS
CVE-2017-9868

In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.

EPSS: 0.03%