CVE-2018-12550

Name of the Vulnerable Software and Affected Versions: Eclipse Mosquitto versions 1.0 through 1.5.5

Description: The issue is related to the configuration of the access control list (ACL) file in Eclipse Mosquitto. When the ACL file is empty or contains only comments or blank lines, Mosquitto previously used a default allow policy. However, the new behavior is to deny all access if the ACL file is empty. This change in behavior may lead to unexpected configuration issues. The vulnerability is also related to insufficient input validation and incorrect implementation of functions, which may allow a remote attacker to gain unauthorized access to protected information.

Recommendations: For Eclipse Mosquitto versions 1.0 through 1.5.5, ensure that the ACL file is properly configured and not empty to avoid denying all access. As a temporary workaround, consider defining a default ACL policy to minimize the risk of exploitation. Restrict access to the broker until a proper ACL configuration is in place.