{"id":"CVE-2018-20145","details":"Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.","modified":"2026-04-11T14:54:22.910382Z","published":"2018-12-13T20:29:00.240Z","related":["openSUSE-SU-2024:11057-1"],"references":[{"type":"ADVISORY","url":"https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt"},{"type":"FIX","url":"https://github.com/eclipse/mosquitto/commit/9097577b49b7fdcf45d30975976dd93808ccc0c4"},{"type":"FIX","url":"https://github.com/eclipse/mosquitto/issues/1073"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse-mosquitto/mosquitto","events":[{"introduced":"0"},{"fixed":"9097577b49b7fdcf45d30975976dd93808ccc0c4"}]},{"type":"GIT","repo":"https://github.com/eclipse/mosquitto","events":[{"introduced":"5e60136449d678948520085985d7e7f91f9e601c"},{"fixed":"66dfa573946425661626e2f574ef125ab01b01f5"}],"database_specific":{"versions":[{"introduced":"1.5"},{"fixed":"1.5.5"}]}}],"versions":["v1.4.1","v1.4.10","v1.4.11","v1.4.12","v1.4.13","v1.4.14","v1.4.15","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.4.7","v1.4.8","v1.4.9","v1.5","v1.5.1","v1.5.2","v1.5.3","v1.5.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20145.json","vanir_signatures_modified":"2026-04-11T14:54:22Z","vanir_signatures":[{"deprecated":false,"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/9097577b49b7fdcf45d30975976dd93808ccc0c4","digest":{"line_hashes":["237389952011881478287382112648987743294","272451151438414953003976969110111933824","51697838977234724229644107283187418883","282321170269120821608752377155100442388"],"threshold":0.9},"target":{"file":"src/conf.c"},"signature_type":"Line","id":"CVE-2018-20145-5abb4622","signature_version":"v1"},{"deprecated":false,"source":"https://github.com/eclipse-mosquitto/mosquitto/commit/9097577b49b7fdcf45d30975976dd93808ccc0c4","digest":{"function_hash":"327595239859168560702558468712667619739","length":6844},"target":{"function":"config__parse_args","file":"src/conf.c"},"signature_type":"Function","id":"CVE-2018-20145-700270e5","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}