Project

General

Profile

Bug #7367

Bug #7366: mosquitto: Pattern based ACLs can be bypassed (CVE-2017-7650)

[3.6] mosquitto: Pattern based ACLs can be bypassed (CVE-2017-7650)

Added by Alicha CH about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
06/01/2017
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:

Description

A vulnerability exists in Mosquitto versions 0.15 to 1.4.11.

Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’. This allows locally or remotely connected clients to access MQTT
topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use.

Fixed In Version:

mosquitto 1.4.12

Reference:

http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/

Patch:

https://mosquitto.org/files/cve/2017-7650/

Associated revisions

Revision 79170b17 (diff)
Added by Natanael Copa about 2 years ago

main/mosquitto: security upgrade to 1.4.12 (CVE-2017-7650)

fixes #7367

History

#1 Updated by Natanael Copa about 2 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#2 Updated by Alicha CH about 2 years ago

  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF