Source: mosquitto Version: 1.2.1-1 Severity: grave Tags: security upstream Justification: user security hole
If an end user uses mosquitto with an authentication plugin, and the plugin returns an application error when making an authentication check (such as if a database was unavailable), then mosquitto incorrectly treats this as a successful authentication. This has the potential for unauthorised clients to access the running mosquitto broker and gain access to information to which it is not authorised. In general this does not represent a wider security hole. No authentication plugins are provided with mosquitto and there are only a limited number of examples available on the internet, so it is unlikely that this bug will affect many installations. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org