CVE-2021-28166

Published on: 04/07/2021 12:00:00 AM UTC

Last Modified on: 04/13/2021 09:42:00 PM UTC

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

Certain versions of Mosquitto from Eclipse contain the following vulnerability:

In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur.

  • CVE-2021-28166 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.
  • Affected Vendor/Software: The Eclipse Foundation - Eclipse Mosquitto version >= 2.0
  • Affected Vendor/Software: The Eclipse Foundation - Eclipse Mosquitto version <= 2.0.9

CVSS3 Score: 6.5 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW LOW NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE NONE HIGH

CVSS2 Score: 4 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW SINGLE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE NONE PARTIAL

CVE References

Description Tags Link
572608 – (CVE-2021-28166) Mosquitto: CVE request - NULL pointer dereference on crafted CONNACK bugs.eclipse.org
text/html
URL Logo CONFIRM bugs.eclipse.org/bugs/show_bug.cgi?id=572608

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationEclipseMosquittoAllAllAllAll
  • cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-28166 : In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQ… twitter.com/i/web/status/1… 2021-04-07 18:52:54
Twitter Icon @LinInfoSec Eclipse - CVE-2021-28166: bugs.eclipse.org/bugs/show_bug.… 2021-04-07 22:41:31