CVE-2018-20145 — Incorrect Permission Assignment in Mosquitto

CWE-732 — Incorrect Permission Assignment8 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 56.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Mosquitto

Timeline

PublishedDec 13

Latest updateMay 13

Description

Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDeclipse/mosquitto1.5 — 1.5.5

▶Debianeclipse/mosquitto< 1.5.5-1+3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-p6fp-h8pq-3x5p: Eclipse Mosquitto 1↗2022-05-13

▶

OSV

CVE-2018-20145: Eclipse Mosquitto 1↗2018-12-13

▶

CVEList

CVE-2018-20145: Eclipse Mosquitto 1↗2018-12-13

▶

📋Vendor Advisories

Debian

CVE-2018-20145: mosquitto - Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listen...↗2018

▶

💬Community

Bugzilla

CVE-2018-20145 mosquitto: Possible ACL bypass [fedora-all]↗2018-12-18

▶

Bugzilla

CVE-2018-20145 mosquitto: Possible ACL bypass↗2018-12-18

▶

Bugzilla

CVE-2018-20145 mosquitto: Possible ACL bypass [epel-7]↗2018-12-18

▶