Published: 11/09/2017 Updated: 03/10/2019

CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8

CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8

VMScore: 356

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

In Mosquitto prior to 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

Vulnerable Product	Search on Vulmon	Subscribe to Product
eclipse mosquitto
debian debian linux 8.0

It was discovered that pattern-based ACLs in the Mosquitto MQTT broker could be bypassed For the stable distribution (jessie), this problem has been fixed in version 134-2+deb8u1 For the unstable distribution (sid), this problem has been fixed in version 1410-3 We recommend that you upgrade your mosquitto packages ...

CWE-287 https://bugs.eclipse.org/bugs/show_bug.cgi?id=516765 http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/http://www.securityfocus.com/bid/98741 http://www.debian.org/security/2017/dsa-3865 https://nvd.nist.gov https://www.debian.org/security/./dsa-3865

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2017-7650

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect