CVE-2017-7650
published 2017-09-11CVE-2017-7650: In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely…
PriorityP339medium6.5CVSS 3.0
AVNACLPRLUINSUCHINAN
EPSS
2.47%
82.5th percentile
In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | mosquitto | < mosquitto 1.4.10-3 (bookworm) | mosquitto 1.4.10-3 (bookworm) |
| eclipse | mosquitto | < 1.4.12 | 1.4.12 |
| eclipse | mosquitto | >= 0 < 1.4.10-3 | 1.4.10-3 |
| eclipse | mosquitto | >= 0 < 1.4.10-3 | 1.4.10-3 |
| eclipse | mosquitto | >= 0 < 1.4.10-3 | 1.4.10-3 |
| eclipse | mosquitto | >= 0 < 1.4.10-3 | 1.4.10-3 |
| eclipse_foundation | mosquitto | — | — |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vcg2-pq78-9mhr: In Mosquitto before 1
ghsa_unreviewed·2022-05-13
CVE-2017-7650 [MEDIUM] CWE-287 GHSA-vcg2-pq78-9mhr: In Mosquitto before 1
In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
OSV
CVE-2017-7650: In Mosquitto before 1
osv·2017-09-11·CVSS 6.5
CVE-2017-7650 [MEDIUM] CVE-2017-7650: In Mosquitto before 1
In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
Debian
CVE-2017-7650: mosquitto - In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that s...
vendor_debian·2017·CVSS 6.5
CVE-2017-7650 [MEDIUM] CVE-2017-7650: mosquitto - In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that s...
In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
Scope: local
bookworm: resolved (fixed in 1.4.10-3)
bullseye: resolved (fixed in 1.4.10-3)
forky: resolved (fixed in 1.4.10-3)
sid: resolved (fixed in 1.4.10-3)
trixie: resolved (fixed in 1.4.10-3)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed [epel-7]
bugzilla·2017-05-29·CVSS 6.5
CVE-2017-7650 [MEDIUM] CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed [epel-7]
CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg update
Bugzilla
CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed [fedora-all]
bugzilla·2017-05-29·CVSS 6.5
CVE-2017-7650 [MEDIUM] CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed [fedora-all]
CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of F
Bugzilla
CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed
bugzilla·2017-05-29·CVSS 6.5
CVE-2017-7650 [MEDIUM] CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed
CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed
A vulnerability exists in Mosquitto versions 0.15 to 1.4.11.
Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use.
External References:
http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/
Discussion:
Created mosquitto tracking bugs for this issue:
Affects: epel-7 [bug 1456509]
Affects: fedora-all [bug 1456508]
http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/http://www.debian.org/security/2017/dsa-3865http://www.securityfocus.com/bid/98741https://bugs.eclipse.org/bugs/show_bug.cgi?id=516765http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/http://www.debian.org/security/2017/dsa-3865http://www.securityfocus.com/bid/98741https://bugs.eclipse.org/bugs/show_bug.cgi?id=516765
2017-09-11
Published