CVE-2021-34434

Name of the Vulnerable Software and Affected Versions Eclipse Mosquitto versions 2.0 through 2.0.11

Description The issue is related to the dynamic security plugin in Eclipse Mosquitto. When the ability for a client to make subscriptions on a topic is revoked while a durable client is offline, existing subscriptions for that client are not revoked. This is due to an authorization flaw. The exploitation of this flaw allows a remote attacker to access confidential data.

Recommendations For Eclipse Mosquitto versions 2.0 through 2.0.11, as a temporary workaround, consider disabling the dynamic security plugin until a patch is available. Restrict access to the subscription functionality for durable clients to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.