Retention Issue in Eclipse Mosquitto Affects Client Access Control
CVE-2018-12546

6.5MEDIUM

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Mosquitto
Vendor: CVE Published:; 27 March 2019

What is CVE-2018-12546?

In versions 1.0 through 1.5.5 of Eclipse Mosquitto, a vulnerability exists where a client can publish a retained message to a topic and, even after access to that topic is revoked, the retained messages remain accessible to future clients subscribing to that topic. This behavior can lead to unintended information exposure and could allow clients to perform actions they should not be permitted to, undermining the integrity of access controls within the application.

Affected Version(s)

Eclipse Mosquitto 1.0

Eclipse Mosquitto <= 1.5.5

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=543127

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 27, 2019
Vulnerability Reserved
Jun 18, 2018

The Eclipse Foundation

What is CVE-2018-12546?

Affected Version(s)

References

CVSS V3.1

Timeline