CVE-2018-12550

EPSS 0.47%
Published 27.03.2019 18:29:00
Last modified 21.11.2024 03:45:25
Source emo@eclipse.org
Teams watchlist Login
Open Login

When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Eclipse ≫ Mosquitto Version >= 1.0 <= 1.5.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.47%	0.638

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-440 Expected Behavior Violation

A feature, API, or function does not perform according to its specification.

https://bugs.eclipse.org/bugs/show_bug.cgi?id=541870

Vendor Advisory

Issue Tracking

https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html

https://nvd.nist.gov/vuln/detail/CVE-2018-12550

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-12550

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-12550

EUVD