ALT-PU-2018-1086-1

Обновление пакета mosquitto в ветке p8

Версия1.4.14-alt0.M80P.1

Задание#198547

Опубликовано2018-01-25

Макс. серьёзностьMEDIUM

Серьёзность:

Закрытые проблемы (2)

MEDIUM6.5

In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

Опубликовано: 2017-09-11Изменено: 2025-04-20

CVSS 2.0СРЕДНЯЯ 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS 3.xСРЕДНЯЯ 6.5

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Ссылки

MEDIUM5.5

In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.

Опубликовано: 2017-06-25Изменено: 2025-04-20

CVSS 2.0НИЗКАЯ 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xСРЕДНЯЯ 5.5

CVSS:3.x/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Ссылки