CVE-2018-12551

Name
CVE-2018-12551
Description
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://bugs.eclipse.org/bugs/show_bug.cgi?id=543401
MLIST https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:* mosquitto >= 1.0 <= 1.5.5

Vulnerable and fixed packages

Source package Branch Version Maintainer Status