Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Untriaged
Filter by:
With package: mosquitto

Found 3 matching suggestions

View:
Compact
Detailed
Permalink CVE-2024-3935
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Eclipse Mosquito: Double free vulnerability

In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.

References

Affected products

mosquitto
  • <2.0.18
  • =<2.0.18

Matching in nixpkgs

pkgs.mosquitto

Open source MQTT v3.1/3.1.1/5.0 broker

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-10525
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months ago
Eclipse Mosquito: Heap Buffer Overflow in my_subscribe_callback

In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.

References

Affected products

mosquitto
  • =<2.0.18

Matching in nixpkgs

pkgs.mosquitto

Open source MQTT v3.1/3.1.1/5.0 broker

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-8376
created 6 months ago
Memory leak

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

References

Affected products

mosquitto
  • ==2.0.18
  • ==2.0.19

Matching in nixpkgs

pkgs.mosquitto

Open source MQTT v3.1/3.1.1/5.0 broker

  • nixos-unstable -

Package maintainers