New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mosquitto ignores acl_file on default listener if per_listener_settings=true #1073

jefdriesen opened this Issue Dec 7, 2018 · 2 comments


None yet
3 participants
Copy link

jefdriesen commented Dec 7, 2018

When mosquitto is configured as follows:

per_listener_settings true

port 1883
acl_file /etc/mosquitto/

listener 1884
acl_file /etc/mosquitto/

Then the default listener (on port 1883) ignores the acl_file. This can easily confirmed by specifying a non-existing acl file. Mosquitto will startup fine, without complaining about the non-existing file. And when trying to send messages, there are indeed no acl's effective.

This is a potential security risk!

@ralight ralight added this to the 1.5.5 milestone Dec 8, 2018

@ralight ralight closed this in 9097577 Dec 11, 2018


This comment has been minimized.

Copy link

nluedtke commented Dec 20, 2018

For completeness sake, this received CVE-2018-20145.


This comment has been minimized.

Copy link

ralight commented Dec 20, 2018

@nluedtke Thank you, as this was disclosed publicly my priority was to get a fix out rather than asking for a CVE. Thanks for removing that burden, I'll get the documentation updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment