Community
Participate
Working Groups
Created attachment 286040 [details] Patch for Mosquitto versions 2.0.0-2.0.9. I'd like to request a CVE be assigned for Mosquitto. Unfortunately the vulnerability was reported in public. It has already been fixed in version 2.0.10. A patch for 2.0.0-2.0.9 is attached. project: Eclipse Mosquitto version: [2.0.0, 2.0.9] cwe: CWE-476: NULL Pointer Dereference summary: In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur. CVSS score: 6.0 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C&version=3.1
We'll use CVE-2021-28166 I've pushed the report to the central authority. https://github.com/CVEProject/cvelist/pull/1254
Roger, I believe that you're referencing this issue in the change log [1], but using the wrong CVE (CVE-2021-23980). Can you confirm/fix? [1] https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt
Thanks Wayne, that is now fixed.