Vulnerability Description
In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Mosquitto | < 1.4.12 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/PatchVendor Advisory
- http://www.debian.org/security/2017/dsa-3865Third Party Advisory
- http://www.securityfocus.com/bid/98741Third Party AdvisoryVDB Entry
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=516765ExploitThird Party Advisory
- http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/PatchVendor Advisory
- http://www.debian.org/security/2017/dsa-3865Third Party Advisory
- http://www.securityfocus.com/bid/98741Third Party AdvisoryVDB Entry
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=516765ExploitThird Party Advisory
FAQ
What is CVE-2017-7650?
CVE-2017-7650 is a vulnerability with a CVSS score of 6.5 (MEDIUM). In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that ...
How severe is CVE-2017-7650?
CVE-2017-7650 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7650?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Mosquitto, Debian Debian Linux.