CVE-2018-12551Improper Check or Handling of Exceptional Conditions in Eclipse Foundation Eclipse Mosquitto

CWE-703Improper Check or Handling of Exceptional ConditionsCWE-287Improper Authentication8 documents6 sources
Severity
8.1HIGHNVD
EPSS
0.7%
top 27.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
THE Eclipse Foundation Eclipse MosquittoEclipse Mosquitto
Timeline
PublishedMar 27
Latest updateMay 13

Description

When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who hav

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

CVEListV5the_eclipse_foundation/eclipse_mosquitto1.0unspecified+1
Debianeclipse/mosquitto< 1.5.6-1+3
NVDeclipse/mosquitto1.01.5.5

🔴Vulnerability Details

3
GHSA
GHSA-5hh6-jrm5-mqxq: When Eclipse Mosquitto version 12022-05-13
CVEList
CVE-2018-12551: When Eclipse Mosquitto version 12019-03-27
OSV
CVE-2018-12551: When Eclipse Mosquitto version 12019-03-27

📋Vendor Advisories

1
Debian
CVE-2018-12551: mosquitto - When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a p...2018

💬Community

3
Bugzilla
CVE-2018-12550 CVE-2018-12551 mosquitto: various flaws [epel-7]2019-04-04
Bugzilla
CVE-2018-12551 mosquitto: improper authentication in password file2019-04-04
Bugzilla
CVE-2018-12550 CVE-2018-12551 mosquitto: various flaws [fedora-29]2019-04-04
CVE-2018-12551 — HIGH severity | cvebase