Improper Authorization

Affecting aedes package, versions <0.35.1

Do your applications use this vulnerable package? Test your applications

Overview

aedes is a Barebone MQTT server that can run on any stream server.

Affected versions of this package are vulnerable to Improper Authorization. A user can connect and subscribe to "will" from a client. From another client, a user may connect with a last will message with topic "will". Then by sending message to "test", the connection will break (because of authorization failure). Breaking the connection will trigger the LWT, and thus sends a message to will, which can be seen in the other client.

Remediation

Upgrade aedes to version 0.35.1 or higher.

References

CVSS Score

5.0
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N/E:F/RL:O/RC:C
Credit
mhverbakel
CVE
CVE-2018-3778
CWE
CWE-285
Snyk ID
npm:aedes:20180807
Disclosed
07 Aug, 2018
Published
08 Aug, 2018