{"id":"CVE-2018-12551","details":"When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability.","modified":"2026-04-09T06:03:23.786453Z","published":"2019-03-27T18:29:00.367Z","related":["openSUSE-SU-2019:0233-1","openSUSE-SU-2019:0237-1","openSUSE-SU-2024:11057-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html"},{"type":"REPORT","url":"https://bugs.eclipse.org/bugs/show_bug.cgi?id=543401"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse/mosquitto","events":[{"introduced":"0"},{"last_affected":"66dfa573946425661626e2f574ef125ab01b01f5"}],"database_specific":{"versions":[{"introduced":"1.0"},{"last_affected":"1.5.5"}]}}],"versions":["v1.4.1","v1.4.10","v1.4.11","v1.4.12","v1.4.13","v1.4.14","v1.4.15","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.4.7","v1.4.8","v1.4.9","v1.5","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.5.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-12551.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}