CVE-2021-28166 - In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT

CVE-2021-28166

Summary

In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur.

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=572608

Vulnerable Configurations

cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*
cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*

CVSS

Base:	4.0 (as of 13-04-2021 - 21:42)
Impact:
Exploitability:

CWE

CWE-476

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:S/C:N/I:N/A:P

Last major update

13-04-2021 - 21:42

Published

07-04-2021 - 19:15

Last modified

13-04-2021 - 21:42