Vulnerability CVE-2018-12550

Vulnerability Name:

CVE-2018-12550 (CCN-156915)

Assigned:

2018-06-18

Published:

2019-02-08

Updated:

2019-10-09

Summary:

When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected.

CVSS v3 Severity:

8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2018-12550

Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=541870

Source: XF
Type: UNKNOWN
eclipse-mosquitto-cve201812550-sec-bypass(156915)

Source: MLIST
Type: UNKNOWN
[debian-lts-announce] 20191026 [SECURITY] [DLA 1972-1] mosquitto security update

Source: CCN
Type: Mosquitto Web site
An open source MQTT broker

Source: CCN
Type: Mosquitto Blog, 2019-02-08
Version 1.5.6 released

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-12550

Vulnerable Configuration:

Configuration 1:

cpe:/a:eclipse:mosquitto:*:*:*:*:*:*:*:* (Version >= 1.0 and <= 1.5.5)

Configuration CCN 1:

cpe:/a:eclipse:mosquitto:1.5.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201812550	V	CVE-2018-12550	2022-06-30
oval:org.opensuse.security:def:112700	P	libmosquitto1-2.0.11-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106176	P	libmosquitto1-2.0.11-1.2 on GA media (Moderate)	2021-10-01
oval:com.ubuntu.xenial:def:2018125500000000	V	CVE-2018-12550 on Ubuntu 16.04 LTS (xenial) - medium.	2019-03-27
oval:com.ubuntu.bionic:def:201812550000	V	CVE-2018-12550 on Ubuntu 18.04 LTS (bionic) - medium.	2019-03-27
oval:com.ubuntu.disco:def:2018125500000000	V	CVE-2018-12550 on Ubuntu 19.04 (disco) - medium.	2019-03-27
oval:com.ubuntu.cosmic:def:201812550000	V	CVE-2018-12550 on Ubuntu 18.10 (cosmic) - medium.	2019-03-27
oval:com.ubuntu.cosmic:def:2018125500000000	V	CVE-2018-12550 on Ubuntu 18.10 (cosmic) - medium.	2019-03-27
oval:com.ubuntu.trusty:def:201812550000	V	CVE-2018-12550 on Ubuntu 14.04 LTS (trusty) - medium.	2019-03-27
oval:com.ubuntu.bionic:def:2018125500000000	V	CVE-2018-12550 on Ubuntu 18.04 LTS (bionic) - medium.	2019-03-27
oval:com.ubuntu.xenial:def:201812550000	V	CVE-2018-12550 on Ubuntu 16.04 LTS (xenial) - medium.	2019-03-27

BACK