Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201707-16 ========================================= Severity: Medium Date : 2017-07-16 CVE-ID : CVE-2017-9868 Package : mosquitto Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-353 Summary ====== The package mosquitto before version 1.4.14-1 is vulnerable to information disclosure. Resolution ========= Upgrade to 1.4.14-1. # pacman -Syu "mosquitto>=1.4.14-1" The problem has been fixed upstream in version 1.4.14. Workaround ========= None. Description ========== In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information. Impact ===== A local attacker could access sensitive information by reading the mosquitto.db. References ========= https://mosquitto.org/2017/06/security-advisory-cve-2017-9868/ https://security.archlinux.org/CVE-2017-9868