CVE-2017-7650

Name of the Vulnerable Software and Affected Versions Mosquitto versions prior to 1.4.12

Description The issue allows clients to bypass pattern-based ACLs by setting their username/client ID to '#' or '+'. This enables locally or remotely connected clients to access MQTT topics they do not have rights to. The problem may also be present in third-party authentication/access control plugins for Mosquitto.

Recommendations For Mosquitto versions prior to 1.4.12, update to version 1.4.12 or later to resolve the issue. As a temporary workaround, consider restricting access to MQTT topics and implementing additional authentication measures to minimize the risk of exploitation.