Launchpad.net

CVE 2017-7650

In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

Related bugs and status

CVE-2017-7650 (Candidate) is related to these bugs:

Bug #1692818: Mosquitto pattern ACLs can be circumvented with special client ids or usernames

Summary				In	Importance	Status
	1692818	Mosquitto pattern ACLs can be circumvented with special client ids or usernames		mosquitto (Ubuntu)	Undecided	Fix Released

Bug #1694403: CVE-2017-7650

		In	Importance	Status
1694403	CVE-2017-7650	mosquitto (Ubuntu)	Undecided	Fix Released
1694403	CVE-2017-7650	mosquitto (Ubuntu Zesty)	Undecided	In Progress
1694403	CVE-2017-7650	mosquitto (Ubuntu Trusty)	Undecided	In Progress
1694403	CVE-2017-7650	mosquitto (Ubuntu Artful)	Undecided	Fix Released
1694403	CVE-2017-7650	mosquitto (Ubuntu Xenial)	Undecided	In Progress
1694403	CVE-2017-7650	mosquitto (Ubuntu Yakkety)	Undecided	In Progress
1694403	CVE-2017-7650	mosquitto (Ubuntu Vivid)	Undecided	New
1694403	CVE-2017-7650	mosquitto (Ubuntu Precise)	Undecided	New

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2017-7650

Related bugs and status

Related bugs

References