Описание
In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | released | 1.4.12-1 |
| esm-apps/xenial | released | 1.4.8-1ubuntu0.16.04.1 |
| esm-infra-legacy/trusty | released | 0.15-2ubuntu1.1 |
| precise/esm | DNE | |
| trusty | released | 0.15-2ubuntu1.1 |
| trusty/esm | released | 0.15-2ubuntu1.1 |
| upstream | released | 1.4.10-3 |
| vivid/stable-phone-overlay | DNE | |
| vivid/ubuntu-core | DNE | |
| xenial | released | 1.4.8-1ubuntu0.16.04.1 |
Показывать по
EPSS
4 Medium
CVSS2
6.5 Medium
CVSS3
Связанные уязвимости
In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clie ...
In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
EPSS
4 Medium
CVSS2
6.5 Medium
CVSS3