CVE-2018-12551 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2018-12551 Interim 1 19 2025-02-17T02:44:57Z current 2021-05-30T14:14:32Z 2025-02-17T02:44:57Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2018-12551 When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SRF6WPNSL7W2K6AHOK3GYIPB4F2ISYFN/#SRF6WPNSL7W2K6AHOK3GYIPB4F2ISYFN E-Mail link for openSUSE-SU-2019:0233-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YSX4D64TRLDVQNQZHRPNZIOVDOBKHJEA/#YSX4D64TRLDVQNQZHRPNZIOVDOBKHJEA E-Mail link for openSUSE-SU-2019:0237-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 15 openSUSE Leap 15.0 openSUSE Tumbleweed libmosquitto1-1.4.15-bp150.3.3.1 libmosquitto1-1.4.15-lp150.2.3.1 libmosquitto1-2.0.11-1.2 libmosquittopp1-1.4.15-bp150.3.3.1 libmosquittopp1-1.4.15-lp150.2.3.1 libmosquittopp1-2.0.11-1.2 mosquitto-1.4.15-bp150.3.3.1 mosquitto-1.4.15-lp150.2.3.1 mosquitto-2.0.11-1.2 mosquitto-clients-1.4.15-bp150.3.3.1 mosquitto-clients-1.4.15-lp150.2.3.1 mosquitto-clients-2.0.11-1.2 mosquitto-devel-1.4.15-bp150.3.3.1 mosquitto-devel-1.4.15-lp150.2.3.1 mosquitto-devel-2.0.11-1.2 libmosquitto1-1.4.15-bp150.3.3.1 as a component of SUSE Package Hub 15 libmosquittopp1-1.4.15-bp150.3.3.1 as a component of SUSE Package Hub 15 mosquitto-1.4.15-bp150.3.3.1 as a component of SUSE Package Hub 15 mosquitto-clients-1.4.15-bp150.3.3.1 as a component of SUSE Package Hub 15 mosquitto-devel-1.4.15-bp150.3.3.1 as a component of SUSE Package Hub 15 libmosquitto1-1.4.15-lp150.2.3.1 as a component of openSUSE Leap 15.0 libmosquittopp1-1.4.15-lp150.2.3.1 as a component of openSUSE Leap 15.0 mosquitto-1.4.15-lp150.2.3.1 as a component of openSUSE Leap 15.0 mosquitto-clients-1.4.15-lp150.2.3.1 as a component of openSUSE Leap 15.0 mosquitto-devel-1.4.15-lp150.2.3.1 as a component of openSUSE Leap 15.0 libmosquitto1-2.0.11-1.2 as a component of openSUSE Tumbleweed libmosquittopp1-2.0.11-1.2 as a component of openSUSE Tumbleweed mosquitto-2.0.11-1.2 as a component of openSUSE Tumbleweed mosquitto-clients-2.0.11-1.2 as a component of openSUSE Tumbleweed mosquitto-devel-2.0.11-1.2 as a component of openSUSE Tumbleweed When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. CVE-2018-12551 SUSE Package Hub 15:libmosquitto1-1.4.15-bp150.3.3.1 SUSE Package Hub 15:libmosquittopp1-1.4.15-bp150.3.3.1 SUSE Package Hub 15:mosquitto-1.4.15-bp150.3.3.1 SUSE Package Hub 15:mosquitto-clients-1.4.15-bp150.3.3.1 SUSE Package Hub 15:mosquitto-devel-1.4.15-bp150.3.3.1 openSUSE Leap 15.0:libmosquitto1-1.4.15-lp150.2.3.1 openSUSE Leap 15.0:libmosquittopp1-1.4.15-lp150.2.3.1 openSUSE Leap 15.0:mosquitto-1.4.15-lp150.2.3.1 openSUSE Leap 15.0:mosquitto-clients-1.4.15-lp150.2.3.1 openSUSE Leap 15.0:mosquitto-devel-1.4.15-lp150.2.3.1 openSUSE Tumbleweed:libmosquitto1-2.0.11-1.2 openSUSE Tumbleweed:libmosquittopp1-2.0.11-1.2 openSUSE Tumbleweed:mosquitto-2.0.11-1.2 openSUSE Tumbleweed:mosquitto-clients-2.0.11-1.2 openSUSE Tumbleweed:mosquitto-devel-2.0.11-1.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H