Permissions, Privileges, and Access Controls in mosquitto (Alpine package)



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-12546
CWE-ID CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
 mosquitto (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU17464

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-12546

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to gain access to potentially sensitive information.

The vulnerability exists due to an error when messages were still delivered to clients after their access to topic was revoked. A remote authenticated user was able to obtain potentially sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

mosquitto (Alpine package): 1.4.4-r0 - 1.4.15-r4

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=68e4e4a13ae7d52d37708f6d7393a5a6ef0ef856
https://git.alpinelinux.org/aports/commit/?id=1a43a53ec67e2c5ca5fa770026cd904d745f32a1
https://git.alpinelinux.org/aports/commit/?id=54e5c2f7374a2dba0bc5dbc825e3cb9557de2d1b
https://git.alpinelinux.org/aports/commit/?id=cdf3e55bbad03e4036a926c6ec33aae93e695537
https://git.alpinelinux.org/aports/commit/?id=0615c8c70a2ec6b20460291a2755e9e36f393205
https://git.alpinelinux.org/aports/commit/?id=c000685cbe12c9f51e9d651aff660e8b3ebc8f70


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###