PT-2021-6465 · Eclipse+1 · Eclipse Mosquitto+1

Bryan Pearson

Published

2021-06-10

Updated

2025-03-10

CVE-2021-34432

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Eclipse Mosquitto versions 2.07 and earlier

Description The issue is related to the incorrect handling of a PUBLISH packet with a topic length of 0, which can cause the server to crash. This can be exploited by a remote attacker to disrupt the service. The topic length variable is crucial in this context, as setting it to 0 triggers the crash.

Recommendations For Eclipse Mosquitto versions 2.07 and earlier, as a temporary workaround, consider restricting the handling of PUBLISH packets with a topic length of 0 until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Resource Release

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-404CWE-20

Related Identifiers

ALT-PU-2023-4418

ALT-PU-2024-12359

ALT-PU-2025-3746

BDU:2022-01688

CVE-2021-34432

OESA-2022-1564

OESA-2022-2053

Affected Products

Alt Linux

Eclipse Mosquitto

PT-2021-6465 · Eclipse+1 · Eclipse Mosquitto+1

CVE-2021-34432

Weakness Enumeration

Related Identifiers

Affected Products

References · 18