NULL Pointer Dereference

Affecting mosquitto package, versions <2.0.10

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Mosquitto is an open source implementation of a server for version 3.1 and 3.1.1 of the MQTT protocol.

Affected versions of this package are vulnerable to NULL Pointer Dereference. If an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur.

Remediation

Upgrade Mosquitto to version 2.0.10 or higher.

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C
Credit
Bryan Pearson
CVE
CVE-2021-28166
CWE
CWE-476
Snyk ID
SNYK-COCOAPODS-MOSQUITTO-1244070
Disclosed
08 Apr, 2021
Published
08 Apr, 2021