CVE-2018-12551

CVE-2018-12551

Vendor The Eclipse Foundation
Product Eclipse Mosquitto
Weakness CWE-703
Published March 27, 2019
Last update August 5, 2024
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability.

Key dates

02Disclosure timeline

March 27, 2019 CVE published
August 5, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-28959 Junos OS: QFX10002: PFE wedges and restarts upon receipt of specific malformed packets CVE-2023-22413 Junos OS: MX Series: The Multiservices PIC Management Daemon (mspmand) will crash when an IPsec6 tunnel processes specific IPv4 packets CVE-2023-0397 DoS: Invalid Initialization in le_read_buffer_size_complete CVE-2026-1996 Certain HP OfficeJet Pro Printers – Denial of Service CVE-2025-68135 EVerest's inadequate exception handling leads to denial of service