Community
Participate
Working Groups
This may accur when developers want to revoke the permission of a client. If the client is the last one in the ACL config file, it will be granted all permissions. For example: 1. A developer runs mosquitto: mosquitto -c mosquitto.conf And the acl_file contains: topic readwrite a/a This means that the clients can only access the topic "a/a" 2. To revoke the permission of clients, the developer adds a "#" at the first of that line. 3. However, the clients are granted all permissions, which is against the will of developers. Because the acl_file is empty.
Could I have a CVE assigned for this please, I'll provide the CVSS and description later.
Description: If Mosquitto is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected. Affects versions 1.0 to 1.5.5 inclusive. CVSS v2: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:C/I:C/A:N/E:ND/RL:OF/RC:C) CVSS v3: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N/E:X/RL:O/RC:C
https://cwe.mitre.org/data/definitions/440.html
