CVE-2017-7650

EPSS 2.5%

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 2.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

11 Sep 2017Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

Affected products

Eclipse Foundation · Mosquitto

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/https://bugs.eclipse.org/bugs/show_bug.cgi?id=516765 http://www.debian.org/security/2017/dsa-3865 http://www.securityfocus.com/bid/98741