SB2019021003 - Input validation error in mosquitto (Alpine package)
Published: February 10, 2019
Security Bulletin ID
SB2019021003
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Input validation error (CVE-ID: CVE-2018-12551)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass password authentication.
The vulnerability exists due to insufficient validation of malformed input in a password file, when it is used for authentication. Incorrect data in password file will be treated by the application as a username with empty password, allowing attacker to gain unauthorized access to the application.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=cdf3e55bbad03e4036a926c6ec33aae93e695537
- https://git.alpinelinux.org/aports/commit/?id=231048d9b3314a33f93647991dc803fdf5cc7ff7
- https://git.alpinelinux.org/aports/commit/?id=0615c8c70a2ec6b20460291a2755e9e36f393205
- https://git.alpinelinux.org/aports/commit/?id=c000685cbe12c9f51e9d651aff660e8b3ebc8f70