CVE-2018-20145

NameCVE-2018-20145
DescriptionEclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mosquitto (PTS)stretch1.4.10-3+deb9u4fixed
stretch (security)1.4.10-3+deb9u5fixed
buster, buster (security)1.5.7-1+deb10u1fixed
bookworm, bullseye, sid2.0.11-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mosquittosourcejessie(not affected)
mosquittosourcestretch(not affected)
mosquittosource(unstable)1.5.5-1

Notes

[stretch] - mosquitto <not-affected> (Only affects 1.5.x)
[jessie] - mosquitto <not-affected> (Only affects 1.5.x)
https://github.com/eclipse/mosquitto/commit/9097577b49b7fdcf45d30975976dd93808ccc0c4
https://github.com/eclipse/mosquitto/issues/1073

Search for package or bug name: Reporting problems