CVE-2017-7650 — Improper Authentication in Mosquitto

CWE-287 — Improper Authentication8 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

1.1%

top 21.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Mosquitto Eclipse Foundation Mosquitto Debian Linux

Timeline

PublishedSep 11

Latest updateMay 13

Description

In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDeclipse/mosquitto< 1.4.12

▶Debianeclipse/mosquitto< 1.4.10-3+3

▶CVEListV5eclipse_foundation/mosquitto0.15 to 1.4.11 inclusive

Also affects: Debian Linux 8.0

Patches

Patch: mosquitto.org ↗Patch: mosquitto.org ↗

🔴Vulnerability Details

GHSA

GHSA-vcg2-pq78-9mhr: In Mosquitto before 1↗2022-05-13

▶

OSV

CVE-2017-7650: In Mosquitto before 1↗2017-09-11

▶

CVEList

CVE-2017-7650: In Mosquitto before 1↗2017-09-11

▶

📋Vendor Advisories

Debian

CVE-2017-7650: mosquitto - In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that s...↗2017

▶

💬Community

Bugzilla

CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed [epel-7]↗2017-05-29

▶

Bugzilla

CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed [fedora-all]↗2017-05-29

▶

Bugzilla

CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed↗2017-05-29

▶