CVE-2021-34431

Published: 7/22/2021 Last updated: 8/4/2024 Reserved: 6/9/2021

In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker.

CNA assigner: eclipse (e51fbebd-6053-4e49-959f-1b94eeb69a2c) Requested by: n/a

Opam packages affected (1)

conf-libmosquitto

Products affected (2)

Product	Vendor	Version
Eclipse Mosquitto	The Eclipse Foundation	v32.3.0.5
Eclipse Mosquitto	The Eclipse Foundation	< 3a062a5c55adc5507600b9ae6d911e247e2f1d6e

References (4)

https://bugs.eclipse.org/bugs/show_bug.cgi?id=573191
https://bugs.eclipse.org/bugs/show_bug.cgi?id=573191
https://bugs.eclipse.org/bugs/show_bug.cgi?id=573191
https://bugs.eclipse.org/bugs/show_bug.cgi?id=573191

Credits (2)

Thanks to Kathrin Kleinhammer of OTARIS Interactive Services GmbH for discovering and reporting this issue.
Thanks to Kathrin Kleinhammer of OTARIS Interactive Services GmbH for discovering and reporting this issue.