Vulnerability Description
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Mosquitto | >= 1.0, <= 1.5.5 |
Related Weaknesses (CWE)
References
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=543401ExploitIssue TrackingVendor Advisory
- https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=543401ExploitIssue TrackingVendor Advisory
- https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html
FAQ
What is CVE-2018-12551?
CVE-2018-12551 is a vulnerability with a CVSS score of 8.1 (HIGH). When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means ...
How severe is CVE-2018-12551?
CVE-2018-12551 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-12551?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Mosquitto.