CVE-2018-12546
First published: Wed Mar 27 2019(Updated: )
In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this may result in clients being able cause effects that would otherwise not be allowed.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Eclipse Mosquitto | >=1.0<=1.5.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-12546?
The severity of CVE-2018-12546 is medium with a CVSS score of 6.5.
What is the description of CVE-2018-12546?
CVE-2018-12546 is a vulnerability in Eclipse Mosquitto version 1.0 to 1.5.5 that allows retained messages to be published to unauthorized clients.
How does CVE-2018-12546 affect Eclipse Mosquitto?
CVE-2018-12546 affects Eclipse Mosquitto versions 1.0 to 1.5.5 by allowing unauthorized clients to receive retained messages after access to the topic has been revoked.
Is there a fix for CVE-2018-12546?
Yes, upgrading to a version above 1.5.5 or applying the relevant patch addresses the CVE-2018-12546 vulnerability.
Where can I find more information about CVE-2018-12546?
More information about CVE-2018-12546 can be found at the following link: https://bugs.eclipse.org/bugs/show_bug.cgi?id=543127
- collector/nvd-index
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/description
- agent/tags
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/eclipse
- canonical/eclipse mosquitto
- version/eclipse mosquitto/1.0
- version/eclipse mosquitto/1.5.5