CVE-2018-12551

Name of the Vulnerable Software and Affected Versions Eclipse Mosquitto versions 1.0 through 1.5.5

Description The issue is related to the authentication procedure in Eclipse Mosquitto. When configured to use a password file for authentication, any malformed data in the file is treated as valid, potentially allowing clients to bypass authentication. Specifically, a blank line in the password file can be treated as a valid empty username, enabling unauthorized access to the broker. This issue does not affect other security measures, and users who have only used the mosquitto passwd utility to manage their password files are not affected.

Recommendations For Eclipse Mosquitto versions 1.0 through 1.5.5, ensure that password files are properly formatted and do not contain malformed data to prevent unauthorized access. As a temporary workaround, consider manually reviewing and correcting the password file to prevent exploitation.