CVE-2021-28166: 
NixOS vulnerability analysis and mitigation

In Eclipse Mosquitto versions 2.0.0 to 2.0.9, a vulnerability was identified where an authenticated client connected with MQTT v5 could trigger a NULL pointer dereference by sending a crafted CONNACK message to the broker. The vulnerability was assigned CVE-2021-28166 and was discovered on April 6, 2021 (Eclipse Bug).

The vulnerability is classified as CWE-476: NULL Pointer Dereference. It has been assigned a CVSS v3.1 base score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The attack vector is network-based, requires low attack complexity, needs low privileges, and requires no user interaction. While the vulnerability doesn't impact confidentiality or integrity, it has a high impact on availability (AttackerKB).

The vulnerability primarily affects system availability through a NULL pointer dereference, which could potentially cause the broker to crash. The attack requires authentication and specifically affects MQTT v5 connections (Eclipse Bug).

The vulnerability has been fixed in Eclipse Mosquitto version 2.0.10. Users running affected versions (2.0.0-2.0.9) should upgrade to version 2.0.10 or later to mitigate this vulnerability. A patch was also made available for versions 2.0.0-2.0.9 (Eclipse Bug).