Description
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.
References (3)
Core 3
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/eclipse/mosquitto/issues/1073
Third Party Advisory x_refsource_misc
https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt
Patch, Third Party Advisory x_refsource_misc
https://github.com/eclipse/mosquitto/commit/9097577b49b7fdcf45d30975976dd93808ccc0c4
Scores
CVSS v3
7.5
EPSS
0.0021
EPSS Percentile
43.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-732
Status
published
Products (1)
eclipse/mosquitto
1.5 - 1.5.5
Published
Dec 13, 2018
Tracked Since
Feb 18, 2026