Project

General

Profile

Bug #7366

mosquitto: Pattern based ACLs can be bypassed (CVE-2017-7650)

Added by Alicha CH almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
-
Start date:
06/01/2017
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Affected versions:
Security IDs:

Description

A vulnerability exists in Mosquitto versions 0.15 to 1.4.11.

Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’. This allows locally or remotely connected clients to access MQTT
topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use.

Fixed In Version:

mosquitto 1.4.12

Reference:

http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/

Patch:

https://mosquitto.org/files/cve/2017-7650/


Subtasks

Bug #7367: [3.6] mosquitto: Pattern based ACLs can be bypassed (CVE-2017-7650)ClosedNatanael Copa

Bug #7368: [3.5] mosquitto: Pattern based ACLs can be bypassed (CVE-2017-7650)ClosedNatanael Copa

Bug #7369: [3.4] mosquitto: Pattern based ACLs can be bypassed (CVE-2017-7650)ClosedNatanael Copa

Bug #7370: [3.3] mosquitto: Pattern based ACLs can be bypassed (CVE-2017-7650)ClosedNatanael Copa

History

#1 Updated by Leonardo Arena almost 2 years ago

  • Status changed from New to Resolved

#2 Updated by Alicha CH almost 2 years ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF