CVE-2018-12546

NameCVE-2018-12546
DescriptionIn Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this may result in clients being able cause effects that would otherwise not be allowed.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4388-1
NVD severitymedium (attack range: remote)
Debian Bugs921976

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mosquitto (PTS)jessie1.3.4-2+deb8u1vulnerable
jessie (security)1.3.4-2+deb8u3vulnerable
stretch (security), stretch1.4.10-3+deb9u4fixed
buster, sid1.5.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mosquittosource(unstable)1.5.6-1medium921976
mosquittosourcestretch1.4.10-3+deb9u3mediumDSA-4388-1

Notes

[jessie] - mosquitto <ignored> (Minor issue)
https://mosquitto.org/blog/2019/02/version-1-5-6-released/
https://mosquitto.org/files/cve/2018-12546

Search for package or bug name: Reporting problems