Total
23 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-7652 | 2 Debian, Eclipse | 2 Debian Linux, Mosquitto | 2023-12-10 | 6.0 MEDIUM | 7.5 HIGH |
In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail. | |||||
CVE-2017-7650 | 2 Debian, Eclipse | 2 Debian Linux, Mosquitto | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto. | |||||
CVE-2017-9868 | 2 Debian, Eclipse | 2 Debian Linux, Mosquitto | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information. |