Alpine: multiple mosquitto packages: security update to 1.5.5-r1 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 400610

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a
topic, then has its access to that topic revoked, the retained message will still be published to clients
that subscribe to that topic in the future. In some applications this may result in clients being able
cause effects that would otherwise not be allowed. (CVE-2018-12546)

- When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL
file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL
file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean
that all access is denied, which is not a useful configuration but is not unexpected. (CVE-2018-12550)

- When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for
authentication, any malformed data in the password file will be treated as valid. This typically means
that the malformed data becomes a username and no password. If this occurs, clients can circumvent
authentication and get access to the broker by using the malformed username. In particular, a blank line
will be treated as a valid empty username. Other security measures are unaffected. Users who have only
used the mosquitto_passwd utility to create and modify their password files are unaffected by this
vulnerability. (CVE-2018-12551)

See Also

https://git.alpinelinux.org/aports/commit/?id=682df4c4657a0a3c7164da8c9ad3ab19a56ccffa

https://git.alpinelinux.org/aports/commit/?id=c000685cbe12c9f51e9d651aff660e8b3ebc8f70

Plugin Details

Severity: High

ID: 400610

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-12551

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/12/2019

Vulnerability Publication Date: 2/9/2019

Reference Information

CVE: CVE-2018-12546, CVE-2018-12550, CVE-2018-12551