Improper Authorization

Affecting aedes package, versions <0.35.1

medium severity

Overview

aedes is a Barebone MQTT server that can run on any stream server.

Affected versions of this package are vulnerable to Improper Authorization. A user can connect and subscribe to "will" from a client. From another client, a user may connect with a last will message with topic "will". Then by sending message to "test", the connection will break (because of authorization failure). Breaking the connection will trigger the LWT, and thus sends a message to will, which can be seen in the other client.

Remediation

Upgrade aedes to version 0.35.1 or higher.

References

Do your applications use this vulnerable package?

Credit
mhverbakel
CVE
CVE-2018-3778
CWE
CWE-285
Snyk ID
npm:aedes:20180807
Disclosed
07 Aug, 2018
Published
08 Aug, 2018