Denial of Service Vulnerability in Eclipse Mosquitto MQTT Client
CVE-2021-41039

7.5HIGH

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Mosquitto
Vendor: CVE Published:; 1 December 2021

What is CVE-2021-41039?

In specific versions of the Eclipse Mosquitto MQTT client, an issue arises when connecting with a large number of user-property properties. This misconfiguration can lead to excessive CPU utilization, severely impacting performance and potentially causing service disruptions. Users operating versions 1.6 to 2.0.11 should promptly review their implementations and consider upgrades to mitigate this performance-related risk.

Affected Version(s)

Eclipse Mosquitto 1.6

Eclipse Mosquitto <= 2.0.11

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314

https://www.debian.org/security/2023/dsa-5511

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 1, 2021
Vulnerability Reserved
Sep 13, 2021

Credit

This issue was discovered and reported by Zhanxiang Song, Bin Yuan, DeQing Zou, Hai Jin, Huazhong Univ. of Sci. & Tech.; Luyi Xing, IU; Yan Jia, Nankai University

The Eclipse Foundation

What is CVE-2021-41039?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit