[3.6] mosquitto: Pattern based ACLs can be bypassed (CVE-2017-7650)ID: oval:org.secpod.oval:def:1800661 | Date: (C)2018-03-28 (M)2023-04-17 |
Class: PATCH | Family: unix |
A vulnerability exists in Mosquitto versions 0.15 to 1.4.11. Pattern based ACLs can be bypassed by clients that set their username/client id to # or +. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto. The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use. Fixed In Version: mosquitto 1.4.12 Reference: Patch:
Platform: |
Alpine Linux 3.6 |