Your submission was sent successfully! Close

CVE-2017-7650

Published: 11 September 2017

In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
mosquitto
Launchpad, Ubuntu, Debian
Upstream
Released (1.4.10-3)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.4.8-1ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (0.15-2ubuntu1.1)