Vulnerability Description
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Mosquitto | >= 1.5, < 1.5.5 |
Related Weaknesses (CWE)
References
- https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txtThird Party Advisory
- https://github.com/eclipse/mosquitto/commit/9097577b49b7fdcf45d30975976dd93808ccPatchThird Party Advisory
- https://github.com/eclipse/mosquitto/issues/1073Issue TrackingPatchThird Party Advisory
- https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txtThird Party Advisory
- https://github.com/eclipse/mosquitto/commit/9097577b49b7fdcf45d30975976dd93808ccPatchThird Party Advisory
- https://github.com/eclipse/mosquitto/issues/1073Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2018-20145?
CVE-2018-20145 is a vulnerability with a CVSS score of 7.5 (HIGH). Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then t...
How severe is CVE-2018-20145?
CVE-2018-20145 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-20145?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Mosquitto.