Vulnerability Details : CVE-2018-12550
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected.
Products affected by CVE-2018-12550
- cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-12550
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-12550
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2018-12550
-
A feature, API, or function does not perform according to its specification.Assigned by: emo@eclipse.org (Secondary)
References for CVE-2018-12550
-
https://bugs.eclipse.org/bugs/show_bug.cgi?id=541870
541870 – (CVE-2018-12550) mosquitto: An empty ACL file grant all permissions to clientsIssue Tracking;Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html
[SECURITY] [DLA 1972-1] mosquitto security update
Jump to