Alpine: mosquitto: security update to 1.4.15-r4

high Tenable Cloud Security Plugin ID 405601

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL
file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL
file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean
that all access is denied, which is not a useful configuration but is not unexpected. (CVE-2018-12550)

- When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for
authentication, any malformed data in the password file will be treated as valid. This typically means
that the malformed data becomes a username and no password. If this occurs, clients can circumvent
authentication and get access to the broker by using the malformed username. In particular, a blank line
will be treated as a valid empty username. Other security measures are unaffected. Users who have only
used the mosquitto_passwd utility to create and modify their password files are unaffected by this
vulnerability. (CVE-2018-12551)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-12550

https://security.alpinelinux.org/vuln/CVE-2018-12551

Plugin Details

Severity: High

ID: 405601

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-12551

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/9/2019

Reference Information

CVE: CVE-2018-12550, CVE-2018-12551