CVE-2018-12550 — Expected Behavior Violation in Eclipse Foundation Eclipse Mosquitto

CWE-440 — Expected Behavior Violation8 documents6 sources

Severity

8.1HIGHNVD

EPSS

0.5%

top 35.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Eclipse Foundation Eclipse Mosquitto Eclipse Mosquitto

Timeline

PublishedMar 27

Latest updateMay 13

Description

When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5the_eclipse_foundation/eclipse_mosquitto1.0 — unspecified+1

▶Debianeclipse/mosquitto< 1.5.6-1+3

▶NVDeclipse/mosquitto1.0 — 1.5.5

🔴Vulnerability Details

GHSA

GHSA-5cgw-j2m3-gxhw: When Eclipse Mosquitto version 1↗2022-05-13

▶

OSV

CVE-2018-12550: When Eclipse Mosquitto version 1↗2019-03-27

▶

CVEList

CVE-2018-12550: When Eclipse Mosquitto version 1↗2019-03-27

▶

📋Vendor Advisories

Debian

CVE-2018-12550: mosquitto - When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ...↗2018

▶

💬Community

Bugzilla

CVE-2018-12550 mosquitto: improper access control in ACL file leads to use default allow policy↗2019-04-04

▶

Bugzilla

CVE-2018-12550 CVE-2018-12551 mosquitto: various flaws [epel-7]↗2019-04-04

▶

Bugzilla

CVE-2018-12550 CVE-2018-12551 mosquitto: various flaws [fedora-29]↗2019-04-04

▶