| Summary: | <app-misc/mosquitto-1.4.12: Pattern based ACLs can be bypassed | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | neil, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1456507 | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
The most current version in the tree is 1.4.14 and only versions before 1.4.12 are vulnerable. Since nothing is left this bug is resolved. The stabilization was done in bug 625290 by the way. Gentoo Security Padawan Kivak (In reply to Aleksandr Wagner (Kivak) from comment #1) > The most current version in the tree is 1.4.14 and only versions before > 1.4.12 are vulnerable. Since nothing is left this bug is resolved. > > The stabilization was done in bug 625290 by the way. > > Gentoo Security Padawan > Kivak Thank you, @Security please vote, and add cve to database. GLSA Vote: No |
From ${URL} : A vulnerability exists in Mosquitto versions 0.15 to 1.4.11. Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto. The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use. External References: @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.