CVE-2021-34434: 
NixOS vulnerability analysis and mitigation

CVE-2021-34434 affects Eclipse Mosquitto versions 2.0 to 2.0.11, specifically when using the dynamic security plugin. The vulnerability was discovered in 2021 and involves an authorization bypass issue where if a client's subscription privileges are revoked while the client is offline, their existing subscriptions remain active (Eclipse Bug, Ubuntu CVE).

The vulnerability occurs in the dynamic security plugin's handling of durable client subscriptions. When using the plugin with default ACL type behaviors (publishClientSend: deny, publishClientReceive: allow, subscribe: deny, unsubscribe: allow), if a client connects with cleanStart=False and an adequate sessionInterval, their existing subscriptions persist even after their privileges are revoked. The vulnerability has been assigned a CVSS 3.1 base score of 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Ubuntu CVE).

The vulnerability allows unauthorized access to message streams, as clients can continue receiving messages from topics they no longer have permission to access. This creates a potential security breach where revoked permissions remain effectively active for previously subscribed topics (Eclipse Bug).

The issue has been fixed in Mosquitto version 2.0.12. Various Linux distributions have released security updates to address this vulnerability, including Ubuntu (2.0.11-1.2ubuntu0.1 for 23.04 and 2.0.11-1ubuntu1.1 for 22.04 LTS), Fedora (2.0.12-1), and Debian (2.0.11-1+deb11u1) (Ubuntu Notice, Debian Security).