CVE-2018-12551
https://notcve.org/view.php?id=CVE-2018-12551
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=543401 https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html • CWE-287: Improper Authentication CWE-703: Improper Check or Handling of Exceptional Conditions •
CVE-2018-12550
https://notcve.org/view.php?id=CVE-2018-12550
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected. Cuando Eclipse Mosquitto, desde la versión 1.0 hasta la 1.5.5 (incluidas), está configurado para emplear un archivo de listas de control de acceso (ACL) y ese archivo está vacío o solo contiene comentarios o líneas en blanco, Mosquitto considerará que no se ha definido ningún archivo ACL y empleará una política de permisividad por defecto. El nuevo comportamiento es que un archivo ACL vacío significa que todos los accesos se deniegan, lo que no es una configuración útil, pero no se espera. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=541870 https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html • CWE-440: Expected Behavior Violation •
CVE-2018-20145
https://notcve.org/view.php?id=CVE-2018-20145
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored. Eclipse Mosquitto en versiones 1.5.x anteriores a la 1.5.5 permite la omisión de las listas de control de acceso: si la opción per_listener_settings está establecida como True, el escuchador por defecto se está empleando y el escuchador por defecto especifica un acl_file, el archivo acl se ignora. • https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt https://github.com/eclipse/mosquitto/commit/9097577b49b7fdcf45d30975976dd93808ccc0c4 https://github.com/eclipse/mosquitto/issues/1073 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2018-12543
https://notcve.org/view.php?id=CVE-2018-12543
In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit. En Eclipse Mosquitto, de la versión 1.5 a la 1.5.2 inclusive, si se publica un mensaje en Mosquitto con un tema que empieza por $, pero que no es $SYS, e.g. $test/test, se desencadena una aserción que, de otra forma, no debería ser alcanzable y Mosquitto se cerrará. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=539295 • CWE-20: Improper Input Validation CWE-617: Reachable Assertion •
CVE-2017-7654
https://notcve.org/view.php?id=CVE-2017-7654
In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker. En Eclipse Mosquitto en versiones 1.4.15 y anteriores, se ha descubierto una vulnerabilidad de fuga de memoria en el broker Mosquitto. Los clientes no autenticados pueden enviar paquetes CONNECT manipulados que podrían provocar una denegación de servicio (DoS) en el broker Mosquitto. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=533493 https://lists.debian.org/debian-lts-announce/2018/09/msg00036.html https://usn.ubuntu.com/4023-1 https://www.debian.org/security/2018/dsa-4325 • CWE-401: Missing Release of Memory after Effective Lifetime CWE-772: Missing Release of Resource after Effective Lifetime •