Mosquitto CVE-2017-7650
=======================

Pattern based ACLs can be bypassed by clients that set their username/client id
to '#' or '+'. This allows locally or remotely connected clients to access MQTT
topics that they do have the rights to. The same issue may be present in third
party authentication/access control plugins for Mosquitto.

This issue affects all versions of Mosquitto 0.15 to 1.4.11 inclusive. It only
comes into effect where pattern based ACLs are in use, or potentially where
third party plugins are in use.

Version 1.4.12 of Mosquitto fixes the problem.

The fix addresses the problem by restricting access for clients with a '#',
'+', or '/' in their username or client id. '/' has been included in the list
of characters disallowed because it also has a special meaning in a topic and
may represent an additional risk. The restriction placed on clients is that
they may not receive or send messages that are subject to a pattern based ACL
check, nor any message that is subject to a plugin check.