CVE-2018-12551

Publication date 27 March 2019

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
mosquitto	19.04 disco	Not affected
	18.10 cosmic	Fixed 1.4.15-2ubuntu0.18.10.1
	18.04 LTS bionic	Fixed 1.4.15-2ubuntu0.18.04.1
	16.04 LTS xenial	Fixed 1.4.8-1ubuntu0.16.04.5
	14.04 LTS trusty	Not affected

Notes

ebarretto

mosquitto's version on Trusty is EOL.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
mosquitto	Upstream: https://mosquitto.org/files/cve/2018-12551/

Severity score breakdown

Parameter	Value
Base score	8.1 · High
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H