CVE-2018-12546

NameCVE-2018-12546
DescriptionIn Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this may result in clients being able cause effects that would otherwise not be allowed.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4388-1
NVD severitymedium
Debian Bugs921976

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mosquitto (PTS)stretch (security), stretch1.4.10-3+deb9u4fixed
buster, buster (security)1.5.7-1+deb10u1fixed
bullseye, sid1.6.12-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mosquittosourcestretch1.4.10-3+deb9u3DSA-4388-1
mosquittosource(unstable)1.5.6-1921976

Notes

[jessie] - mosquitto <ignored> (Minor issue)
https://mosquitto.org/blog/2019/02/version-1-5-6-released/
https://mosquitto.org/files/cve/2018-12546

Search for package or bug name: Reporting problems