|Description||In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this may result in clients being able cause effects that would otherwise not be allowed.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|mosquitto (PTS)||stretch (security), stretch||1.4.10-3+deb9u4||fixed|
|buster, buster (security)||1.5.7-1+deb10u1||fixed|
|bookworm, sid, bullseye||2.0.11-1||fixed|
The information below is based on the following data on fixed versions.
[jessie] - mosquitto <ignored> (Minor issue)