Debian LTS: Security Advisory for mosquitto (DLA-1146-1)
2018-02-07T00:00:00
ID OPENVAS:1361412562310891146 Type openvas Reporter Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net Modified 2020-01-29T00:00:00
Description
mosquitto
# Copyright (C) 2018 Greenbone Networks GmbH
# Text descriptions are largely excerpted from the referenced
# advisory, and are Copyright (C) of the respective author(s)
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.891146");
script_version("2020-01-29T08:22:52+0000");
script_cve_id("CVE-2017-9868");
script_name("Debian LTS: Security Advisory for mosquitto (DLA-1146-1)");
script_tag(name:"last_modification", value:"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)");
script_tag(name:"creation_date", value:"2018-02-07 00:00:00 +0100 (Wed, 07 Feb 2018)");
script_tag(name:"cvss_base", value:"2.1");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:P/I:N/A:N");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"package");
script_xref(name:"URL", value:"https://lists.debian.org/debian-lts-announce/2017/10/msg00023.html");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net");
script_family("Debian Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/debian_linux", "ssh/login/packages", re:"ssh/login/release=DEB7");
script_tag(name:"affected", value:"mosquitto on Debian Linux");
script_tag(name:"solution", value:"For Debian 7 'Wheezy', these problems have been fixed in version
0.15-2+deb7u2.
We recommend that you upgrade your mosquitto packages.");
script_tag(name:"summary", value:"mosquitto's persistence file (mosquitto.db) was created in a
world-readable way thus allowing local users to obtain sensitive MQTT
topic information. While the application has been fixed to set
proper permissions by default, you still have to manually fix
the permissions on any existing file.");
script_tag(name:"vuldetect", value:"This check tests the installed software version using the apt package manager.");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-deb.inc");
res = "";
report = "";
if(!isnull(res = isdpkgvuln(pkg:"libmosquitto0", ver:"0.15-2+deb7u2", rls:"DEB7"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"libmosquitto0-dev", ver:"0.15-2+deb7u2", rls:"DEB7"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"libmosquittopp0", ver:"0.15-2+deb7u2", rls:"DEB7"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"libmosquittopp0-dev", ver:"0.15-2+deb7u2", rls:"DEB7"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"mosquitto", ver:"0.15-2+deb7u2", rls:"DEB7"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"mosquitto-clients", ver:"0.15-2+deb7u2", rls:"DEB7"))) {
report += res;
}
if(!isnull(res = isdpkgvuln(pkg:"python-mosquitto", ver:"0.15-2+deb7u2", rls:"DEB7"))) {
report += res;
}
if(report != "") {
security_message(data:report);
} else if(__pkg_match) {
exit(99);
}
{"id": "OPENVAS:1361412562310891146", "type": "openvas", "bulletinFamily": "scanner", "title": "Debian LTS: Security Advisory for mosquitto (DLA-1146-1)", "description": "mosquitto", "published": "2018-02-07T00:00:00", "modified": "2020-01-29T00:00:00", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891146", "reporter": "Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net", "references": ["https://lists.debian.org/debian-lts-announce/2017/10/msg00023.html"], "cvelist": ["CVE-2017-9868"], "lastseen": "2020-01-29T20:09:27", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-9868"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1525-1:272FE", "DEBIAN:DLA-1146-1:4B852"]}, {"type": "nessus", "idList": ["FEDORA_2017-749F4C7D2A.NASL", "FEDORA_2017-79886EA453.NASL", "DEBIAN_DLA-1525.NASL", "FEDORA_2017-D76189B06D.NASL", "DEBIAN_DLA-1146.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891525", "OPENVAS:1361412562310872851", "OPENVAS:1361412562310872850"]}, {"type": "fedora", "idList": ["FEDORA:BE0FF60C9833", "FEDORA:2C3CA60567C9", "FEDORA:39F6E6079D31"]}, {"type": "archlinux", "idList": ["ASA-201707-16"]}], "modified": "2020-01-29T20:09:27", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2020-01-29T20:09:27", "rev": 2}, "vulnersScore": 5.8}, "pluginID": "1361412562310891146", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891146\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-9868\");\n script_name(\"Debian LTS: Security Advisory for mosquitto (DLA-1146-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-02-07 00:00:00 +0100 (Wed, 07 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/10/msg00023.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"mosquitto on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n0.15-2+deb7u2.\n\nWe recommend that you upgrade your mosquitto packages.\");\n\n script_tag(name:\"summary\", value:\"mosquitto's persistence file (mosquitto.db) was created in a\nworld-readable way thus allowing local users to obtain sensitive MQTT\ntopic information. While the application has been fixed to set\nproper permissions by default, you still have to manually fix\nthe permissions on any existing file.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libmosquitto0\", ver:\"0.15-2+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmosquitto0-dev\", ver:\"0.15-2+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmosquittopp0\", ver:\"0.15-2+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmosquittopp0-dev\", ver:\"0.15-2+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"mosquitto\", ver:\"0.15-2+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"mosquitto-clients\", ver:\"0.15-2+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python-mosquitto\", ver:\"0.15-2+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "naslFamily": "Debian Local Security Checks"}
{"cve": [{"lastseen": "2021-02-02T06:36:52", "description": "In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-06-25T14:29:00", "title": "CVE-2017-9868", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9868"], "modified": "2019-03-12T16:14:00", "cpe": ["cpe:/a:eclipse:mosquitto:1.4.12", "cpe:/o:debian:debian_linux:8.0"], "id": "CVE-2017-9868", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9868", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:eclipse:mosquitto:1.4.12:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:34:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9868"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-07-14T00:00:00", "id": "OPENVAS:1361412562310872850", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872850", "type": "openvas", "title": "Fedora Update for mosquitto FEDORA-2017-749f4c7d2a", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mosquitto FEDORA-2017-749f4c7d2a\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872850\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-14 15:55:24 +0530 (Fri, 14 Jul 2017)\");\n script_cve_id(\"CVE-2017-9868\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for mosquitto FEDORA-2017-749f4c7d2a\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mosquitto'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"mosquitto on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-749f4c7d2a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ULKYON6B3GEMWWO5VCFHWM5CGIDKVC4Y\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"mosquitto\", rpm:\"mosquitto~1.4.13~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9868"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-07-14T00:00:00", "id": "OPENVAS:1361412562310872851", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872851", "type": "openvas", "title": "Fedora Update for mosquitto FEDORA-2017-79886ea453", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mosquitto FEDORA-2017-79886ea453\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872851\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-14 15:54:47 +0530 (Fri, 14 Jul 2017)\");\n script_cve_id(\"CVE-2017-9868\");\n script_tag(name:\"cvss_base\", value:\"2.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for mosquitto FEDORA-2017-79886ea453\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mosquitto'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"mosquitto on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-79886ea453\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPDEUTLLJCLNG24EGL6GVLIXQSPGUY5T\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"mosquitto\", rpm:\"mosquitto~1.4.13~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-29T20:09:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7653", "CVE-2017-7654", "CVE-2017-9868"], "description": "CVE-2017-7653\n\nAs invalid UTF-8 strings are not correctly checked, an attacker could\ncause a denial of service to other clients by disconnecting\nthem from the broker with special crafted topics.\n\nCVE-2017-7654\n\nDue to a memory leak unauthenticated clients can send special crafted\nCONNECT packets which could cause a denial of service in the broker.\n\nCVE-2017-9868\n\nDue to wrong file permissions local users could obtain topic\ninformation from the mosquitto database.", "modified": "2020-01-29T00:00:00", "published": "2018-10-01T00:00:00", "id": "OPENVAS:1361412562310891525", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891525", "type": "openvas", "title": "Debian LTS: Security Advisory for mosquitto (DLA-1525-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891525\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-7653\", \"CVE-2017-7654\", \"CVE-2017-9868\");\n script_name(\"Debian LTS: Security Advisory for mosquitto (DLA-1525-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-01 00:00:00 +0200 (Mon, 01 Oct 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/09/msg00036.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"mosquitto on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n1.3.4-2+deb8u3.\n\nWe recommend that you upgrade your mosquitto packages.\");\n\n script_tag(name:\"summary\", value:\"CVE-2017-7653\n\nAs invalid UTF-8 strings are not correctly checked, an attacker could\ncause a denial of service to other clients by disconnecting\nthem from the broker with special crafted topics.\n\nCVE-2017-7654\n\nDue to a memory leak unauthenticated clients can send special crafted\nCONNECT packets which could cause a denial of service in the broker.\n\nCVE-2017-9868\n\nDue to wrong file permissions local users could obtain topic\ninformation from the mosquitto database.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libmosquitto-dev\", ver:\"1.3.4-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmosquitto1\", ver:\"1.3.4-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmosquittopp-dev\", ver:\"1.3.4-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmosquittopp1\", ver:\"1.3.4-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"mosquitto\", ver:\"1.3.4-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"mosquitto-clients\", ver:\"1.3.4-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"mosquitto-dbg\", ver:\"1.3.4-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python-mosquitto\", ver:\"1.3.4-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python3-mosquitto\", ver:\"1.3.4-2+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9868"], "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino. ", "modified": "2017-07-07T23:23:52", "published": "2017-07-07T23:23:52", "id": "FEDORA:BE0FF60C9833", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: mosquitto-1.4.13-1.fc26", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9868"], "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino. ", "modified": "2017-07-12T01:55:31", "published": "2017-07-12T01:55:31", "id": "FEDORA:2C3CA60567C9", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: mosquitto-1.4.13-1.fc24", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9868"], "description": "Mosquitto is an open source message broker that implements the MQ Telemetry Transport protocol version 3.1 and 3.1.1 MQTT provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for \"machine to machine\" messaging such as with low power sensors or mobile devices such as phones, embedded computers or micro-controllers like the Arduino. ", "modified": "2017-07-12T03:28:11", "published": "2017-07-12T03:28:11", "id": "FEDORA:39F6E6079D31", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: mosquitto-1.4.13-1.fc25", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-01-07T10:11:35", "description": "Fix CVE-2017-9868 (rhbz#1464946)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-07-13T00:00:00", "title": "Fedora 24 : mosquitto (2017-749f4c7d2a)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9868"], "modified": "2017-07-13T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:mosquitto", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2017-749F4C7D2A.NASL", "href": "https://www.tenable.com/plugins/nessus/101507", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-749f4c7d2a.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101507);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-9868\");\n script_xref(name:\"FEDORA\", value:\"2017-749f4c7d2a\");\n\n script_name(english:\"Fedora 24 : mosquitto (2017-749f4c7d2a)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix CVE-2017-9868 (rhbz#1464946)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-749f4c7d2a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mosquitto package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mosquitto\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"mosquitto-1.4.13-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mosquitto\");\n}\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T10:11:38", "description": "Fix CVE-2017-9868 (rhbz#1464946)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-07-13T00:00:00", "title": "Fedora 25 : mosquitto (2017-79886ea453)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9868"], "modified": "2017-07-13T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:mosquitto"], "id": "FEDORA_2017-79886EA453.NASL", "href": "https://www.tenable.com/plugins/nessus/101508", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-79886ea453.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101508);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-9868\");\n script_xref(name:\"FEDORA\", value:\"2017-79886ea453\");\n\n script_name(english:\"Fedora 25 : mosquitto (2017-79886ea453)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix CVE-2017-9868 (rhbz#1464946)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-79886ea453\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mosquitto package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mosquitto\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"mosquitto-1.4.13-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mosquitto\");\n}\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T09:38:46", "description": "mosquitto's persistence file (mosquitto.db) was created in a\nworld-readable way thus allowing local users to obtain sensitive MQTT\ntopic information. While the application has been fixed to set proper\npermissions by default, you still have to manually fix the permissions\non any existing file.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n0.15-2+deb7u2.\n\nWe recommend that you upgrade your mosquitto packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 16, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-10-27T00:00:00", "title": "Debian DLA-1146-1 : mosquitto security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9868"], "modified": "2017-10-27T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libmosquitto0", "p-cpe:/a:debian:debian_linux:mosquitto", "p-cpe:/a:debian:debian_linux:python-mosquitto", "p-cpe:/a:debian:debian_linux:libmosquittopp0-dev", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:mosquitto-clients", "p-cpe:/a:debian:debian_linux:libmosquitto0-dev", "p-cpe:/a:debian:debian_linux:libmosquittopp0"], "id": "DEBIAN_DLA-1146.NASL", "href": "https://www.tenable.com/plugins/nessus/104185", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1146-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104185);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-9868\");\n\n script_name(english:\"Debian DLA-1146-1 : mosquitto security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"mosquitto's persistence file (mosquitto.db) was created in a\nworld-readable way thus allowing local users to obtain sensitive MQTT\ntopic information. While the application has been fixed to set proper\npermissions by default, you still have to manually fix the permissions\non any existing file.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n0.15-2+deb7u2.\n\nWe recommend that you upgrade your mosquitto packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/10/msg00023.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/mosquitto\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmosquitto0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmosquitto0-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmosquittopp0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmosquittopp0-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mosquitto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mosquitto-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-mosquitto\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libmosquitto0\", reference:\"0.15-2+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libmosquitto0-dev\", reference:\"0.15-2+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libmosquittopp0\", reference:\"0.15-2+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libmosquittopp0-dev\", reference:\"0.15-2+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"mosquitto\", reference:\"0.15-2+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"mosquitto-clients\", reference:\"0.15-2+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python-mosquitto\", reference:\"0.15-2+deb7u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T10:14:08", "description": "Fix CVE-2017-9868 (rhbz#1464946)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-07-17T00:00:00", "title": "Fedora 26 : mosquitto (2017-d76189b06d)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-9868"], "modified": "2017-07-17T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:mosquitto", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-D76189B06D.NASL", "href": "https://www.tenable.com/plugins/nessus/101729", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-d76189b06d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101729);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-9868\");\n script_xref(name:\"FEDORA\", value:\"2017-d76189b06d\");\n\n script_name(english:\"Fedora 26 : mosquitto (2017-d76189b06d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix CVE-2017-9868 (rhbz#1464946)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-d76189b06d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mosquitto package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mosquitto\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/06/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"mosquitto-1.4.13-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mosquitto\");\n}\n", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T09:39:55", "description": "CVE-2017-7653\n\nAs invalid UTF-8 strings are not correctly checked, an attacker could\ncause a denial of service to other clients by disconnecting them from\nthe broker with special crafted topics.\n\nCVE-2017-7654\n\nDue to a memory leak unauthenticated clients can send special crafted\nCONNECT packets which could cause a denial of service in the broker.\n\nCVE-2017-9868\n\nDue to wrong file permissions local users could obtain topic\ninformation from the mosquitto database.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n1.3.4-2+deb8u3.\n\nWe recommend that you upgrade your mosquitto packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 18, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-10-01T00:00:00", "title": "Debian DLA-1525-1 : mosquitto security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7653", "CVE-2017-7654", "CVE-2017-9868"], "modified": "2018-10-01T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libmosquitto-dev", "p-cpe:/a:debian:debian_linux:libmosquitto1", "cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:libmosquittopp-dev", "p-cpe:/a:debian:debian_linux:mosquitto", "p-cpe:/a:debian:debian_linux:python-mosquitto", "p-cpe:/a:debian:debian_linux:python3-mosquitto", "p-cpe:/a:debian:debian_linux:libmosquittopp1", "p-cpe:/a:debian:debian_linux:mosquitto-clients", "p-cpe:/a:debian:debian_linux:mosquitto-dbg"], "id": "DEBIAN_DLA-1525.NASL", "href": "https://www.tenable.com/plugins/nessus/117835", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1525-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117835);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-7653\", \"CVE-2017-7654\", \"CVE-2017-9868\");\n\n script_name(english:\"Debian DLA-1525-1 : mosquitto security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2017-7653\n\nAs invalid UTF-8 strings are not correctly checked, an attacker could\ncause a denial of service to other clients by disconnecting them from\nthe broker with special crafted topics.\n\nCVE-2017-7654\n\nDue to a memory leak unauthenticated clients can send special crafted\nCONNECT packets which could cause a denial of service in the broker.\n\nCVE-2017-9868\n\nDue to wrong file permissions local users could obtain topic\ninformation from the mosquitto database.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n1.3.4-2+deb8u3.\n\nWe recommend that you upgrade your mosquitto packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/09/msg00036.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/mosquitto\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmosquitto-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmosquitto1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmosquittopp-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libmosquittopp1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mosquitto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mosquitto-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:mosquitto-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-mosquitto\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3-mosquitto\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libmosquitto-dev\", reference:\"1.3.4-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmosquitto1\", reference:\"1.3.4-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmosquittopp-dev\", reference:\"1.3.4-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libmosquittopp1\", reference:\"1.3.4-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mosquitto\", reference:\"1.3.4-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mosquitto-clients\", reference:\"1.3.4-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"mosquitto-dbg\", reference:\"1.3.4-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"python-mosquitto\", reference:\"1.3.4-2+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"python3-mosquitto\", reference:\"1.3.4-2+deb8u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9868"], "description": "Arch Linux Security Advisory ASA-201707-16\n==========================================\n\nSeverity: Medium\nDate : 2017-07-16\nCVE-ID : CVE-2017-9868\nPackage : mosquitto\nType : information disclosure\nRemote : No\nLink : https://security.archlinux.org/AVG-353\n\nSummary\n=======\n\nThe package mosquitto before version 1.4.14-1 is vulnerable to\ninformation disclosure.\n\nResolution\n==========\n\nUpgrade to 1.4.14-1.\n\n# pacman -Syu \"mosquitto>=1.4.14-1\"\n\nThe problem has been fixed upstream in version 1.4.14.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIn Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is\nworld readable, which allows local users to obtain sensitive MQTT topic\ninformation.\n\nImpact\n======\n\nA local attacker could access sensitive information by reading the\nmosquitto.db.\n\nReferences\n==========\n\nhttps://mosquitto.org/2017/06/security-advisory-cve-2017-9868/\nhttps://security.archlinux.org/CVE-2017-9868", "modified": "2017-07-16T00:00:00", "published": "2017-07-16T00:00:00", "id": "ASA-201707-16", "href": "https://security.archlinux.org/ASA-201707-16", "type": "archlinux", "title": "[ASA-201707-16] mosquitto: information disclosure", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2019-05-30T02:22:28", "bulletinFamily": "unix", "cvelist": ["CVE-2017-9868"], "description": "Package : mosquitto\nVersion : 0.15-2+deb7u2\nCVE ID : CVE-2017-9868\nDebian Bug : 865959\n\nmosquitto's persistence file (mosquitto.db) was created in a\nworld-readable way thus allowing local users to obtain sensitive MQTT\ntopic information. While the application has been fixed to set\nproper permissions by default, you still have to manually fix\nthe permissions on any existing file.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n0.15-2+deb7u2.\n\nWe recommend that you upgrade your mosquitto packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n- -- \nRapha\u00ebl Hertzog \u25c8 Debian Developer\n\nSupport Debian LTS: https://www.freexian.com/services/debian-lts.html\nLearn to master Debian: https://debian-handbook.info/get/\n", "edition": 3, "modified": "2017-10-26T16:05:57", "published": "2017-10-26T16:05:57", "id": "DEBIAN:DLA-1146-1:4B852", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201710/msg00023.html", "title": "[SECURITY] [DLA 1146-1] mosquitto security update", "type": "debian", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-08-12T01:10:44", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7653", "CVE-2017-7654", "CVE-2017-9868"], "description": "Package : mosquitto\nVersion : 1.3.4-2+deb8u3\nCVE ID : CVE-2017-7653 CVE-2017-7654 CVE-2017-9868\n\n\nCVE-2017-7653\n\n As invalid UTF-8 strings are not correctly checked, an attacker could\n cause a denial of service to other clients by disconnecting\n them from the broker with special crafted topics.\n\n\nCVE-2017-7654\n\n Due to a memory leak unauthenticated clients can send special crafted\n CONNECT packets which could cause a denial of service in the broker.\n\n\nCVE-2017-9868\n\n Due to wrong file permissions local users could obtain topic\n information from the mosquitto database.\n\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n1.3.4-2+deb8u3.\n\nWe recommend that you upgrade your mosquitto packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 12, "modified": "2018-09-28T21:05:28", "published": "2018-09-28T21:05:28", "id": "DEBIAN:DLA-1525-1:272FE", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201809/msg00036.html", "title": "[SECURITY] [DLA 1525-1] mosquitto security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
