1456507 – (CVE-2017-7650) CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed

Bug 1456507 (CVE-2017-7650) - CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed

Summary: CVE-2017-7650 mosquitto: Pattern based ACLs can be bypassed

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-7650
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1456508 1456509
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-29 13:42 UTC by Andrej Nemec
Modified:	2021-02-17 02:06 UTC (History)
CC List:	3 users (show)
Fixed In Version:	mosquitto 1.4.12
Clone Of:
Environment:
Last Closed:	2018-05-05 10:19:12 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2017-05-29 13:42:11 UTC

A vulnerability exists in Mosquitto versions 0.15 to 1.4.11.

Pattern based ACLs can be bypassed by clients that set their username/client id to ‘#’ or ‘+’. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use.

External References:

http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/

Comment 1 Andrej Nemec 2017-05-29 13:42:40 UTC

Created mosquitto tracking bugs for this issue:

Affects: epel-7 [bug 1456509]
Affects: fedora-all [bug 1456508]

Note You need to log in before you can comment on or make changes to this bug.