Vulnerabilities > Eclipse > Mosquitto > 1.5.1

DATE CVE VULNERABILITY TITLE RISK
2019-03-27 CVE-2018-12546 Incorrect Permission Assignment for Critical Resource vulnerability in Eclipse Mosquitto
In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future.
network
low complexity
eclipse CWE-732
6.5
6.5
2018-12-13 CVE-2018-20145 Incorrect Permission Assignment for Critical Resource vulnerability in Eclipse Mosquitto
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.
network
low complexity
eclipse CWE-732
7.5
7.5
2018-11-15 CVE-2018-12543 Improper Input Validation vulnerability in Eclipse Mosquitto 1.5.1/1.5.2
In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g.
network
low complexity
eclipse CWE-20
7.5
7.5