4
CVSSv2

CVE-2018-12546

Published: 27/03/2019 Updated: 28/03/2019
CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 383
Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N

Vulnerability Summary

A vulnerability in Eclipse Mosquitto could allow an authenticated, remote malicious user to perform unauthorized actions on a targeted system. The vulnerability is due to improper security restrictions imposed by the affected software. An attacker who has access to publish a retained message to a particular topic could exploit this vulnerability by sending a retained message to other subscribers. If the attacker’s access is later revoked, the retained message could still be delivered to future subscribers. A successful exploit could be used to conduct further attacks. Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available. Eclipse has confirmed the vulnerability and released software updates.

Vulnerability Trend

Affected Products

Vendor Product Versions
EclipseMosquitto1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.90, 1.2, 1.2.1, 1.2.2, 1.2.3, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.5, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4388-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff February 10, 2019 wwwdebianorg/security/faq ...