CVE-2019-11777 – org.eclipse.paho:org.eclipse.paho.client.mqttv3

Package

Manager: maven
Name: org.eclipse.paho:org.eclipse.paho.client.mqttv3
Vulnerable Version: >=0 <1.2.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01325 pctl0.79142

Details

Improper Handling of Exceptional Conditions and Origin Validation Error in Eclipse Paho Java client library In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.

Metadata

Created: 2019-09-17T22:47:11Z
Modified: 2021-04-27T19:46:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-63qc-p2x4-9fgf/GHSA-63qc-p2x4-9fgf.json
CWE IDs: ["CWE-346", "CWE-755"]
Alternative ID: GHSA-63qc-p2x4-9fgf
Finding: F096
Auto approve: 1