565671 – Mosquitto Windows Service Unquoted Path vulnerability

Bug 565671 - Mosquitto Windows Service Unquoted Path vulnerability

Summary: Mosquitto Windows Service Unquoted Path vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Community
Classification:	Eclipse Foundation
Component:	Vulnerability Reports (show other bugs)
Version:	unspecified
Hardware:	PC Windows All

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Security vulnerabilitied reported against Eclipse projects
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2020-07-29 15:35 EDT by Josh Tanski
Modified:	2020-08-11 07:32 EDT (History)
CC List:	3 users (show)

See Also:

Attachments
Screenshot showing unquoted path to executable (66.36 KB, image/png) 2020-07-29 15:35 EDT, Josh Tanski	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Josh Tanski

2020-07-29 15:35:39 EDT

Created attachment 283738 [details]
Screenshot showing unquoted path to executable

Ran mosquitto-1.6.10a-install-windows-x64.exe  on a fresh Windows Server 2019 install.  Mosquitto Broker service was installed, but path is unquoted and contains space, installer should be fixed to put path in quotes to fix this Windows Service Unquoted Path vulnerability.  Screenshot attached - Path to executable C:\Program Files\mosquitto\mosquitto.exe run should be replaced with something like "C:\Program Files\mosquitto\mosquitto.exe" run

Comment 1 Roger Light

2020-08-11 07:32:10 EDT

Thank you, we've now released an installer which fixes this.