SB2017060121 - Improper input validation in mosquitto (Alpine package)
Published: June 1, 2017
Security Bulletin ID
SB2017060121
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper input validation (CVE-ID: CVE-2017-7650)
The vulnerability allows a remote attacker to bypass certain security restrictions.The vulnerability exists due to improper handling of usernames, containing ‘#’ or ‘+’ characters, within pattern based ACLs. A remote attacker can create a specially crafted username and bypass implemented security mechanisms.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=c7054f04ca2564f83a1f8584c51980f47d479bfc
- https://git.alpinelinux.org/aports/commit/?id=320ecd9d42687d45b7c82d0d14ac9e92a5b9b1e3
- https://git.alpinelinux.org/aports/commit/?id=478ed45621953f401511c76d48e3196bb7ef7813
- https://git.alpinelinux.org/aports/commit/?id=7b5929125122b280baf78cf8b7f2466dcf4d79d2
- https://git.alpinelinux.org/aports/commit/?id=10d80c4a6dd266d82f42c9714fdef16c04b3a859
- https://git.alpinelinux.org/aports/commit/?id=79170b170d09fe898c6c937ba588dc214dabb05c