Candidate: CVE-2018-20145
PublicDate: 2018-12-13 20:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20145
 https://github.com/eclipse/mosquitto/commit/9097577b49b7fdcf45d30975976dd93808ccc0c4
 https://github.com/eclipse/mosquitto/issues/1073
 https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt
Description:
 Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option
 per_listener_settings was set to true, and the default listener was in use,
 and the default listener specified an acl_file, then the acl file was being
 ignored.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_mosquitto:
upstream_mosquitto: released (1.5.5-1)
precise/esm_mosquitto: DNE
trusty_mosquitto: not-affected (code not present)
trusty/esm_mosquitto: not-affected (code not present)
xenial_mosquitto: not-affected (code not present)
bionic_mosquitto: not-affected (code not present)
cosmic_mosquitto: not-affected (code not present)
devel_mosquitto: not-affected (1.5.5-1)