CVE-2018-12550
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected.
Cuando Eclipse Mosquitto, desde la versión 1.0 hasta la 1.5.5 (incluidas), está configurado para emplear un archivo de listas de control de acceso (ACL) y ese archivo está vacío o solo contiene comentarios o líneas en blanco, Mosquitto considerará que no se ha definido ningún archivo ACL y empleará una política de permisividad por defecto. El nuevo comportamiento es que un archivo ACL vacío significa que todos los accesos se deniegan, lo que no es una configuración útil, pero no se espera.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-06-18 CVE Reserved
- 2019-02-11 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-440: Expected Behavior Violation
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugs.eclipse.org/bugs/show_bug.cgi?id=541870 | 2019-10-09 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Eclipse Search vendor "Eclipse" | Mosquitto Search vendor "Eclipse" for product "Mosquitto" | >= 1.0 <= 1.5.5 Search vendor "Eclipse" for product "Mosquitto" and version " >= 1.0 <= 1.5.5" | - |
Affected
|