[Secure-testing-team] mosquitto: does not handle errors from authentication plugins correctly
Roger Light
roger at atchoo.org
Mon Jul 14 10:45:32 UTC 2014
Source: mosquitto
Version: 1.2.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
If an end user uses mosquitto with an authentication plugin, and the
plugin returns an application error when making an authentication check
(such as if a database was unavailable), then mosquitto incorrectly
treats this as a successful authentication.
This has the potential for unauthorised clients to access the running
mosquitto broker and gain access to information to which it is not
authorised. In general this does not represent a wider security hole.
No authentication plugins are provided with mosquitto and there are only
a limited number of examples available on the internet, so it is
unlikely that this bug will affect many installations.
More information about the Secure-testing-team
mailing list