PT-2019-12494 · Eclipse · Eclipse Paho Java Client Library

Carolina Adaros

Published

2019-09-11

Updated

2020-10-06

CVE-2019-11777

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Eclipse Paho Java client library version 1.2.0

Description The issue arises when connecting to an MQTT server using TLS and setting a host name verifier in the Eclipse Paho Java client library. The result of the host name verification is not checked, which could allow one MQTT server to impersonate another, providing the client library with incorrect information.

Recommendations For Eclipse Paho Java client library version 1.2.0, consider updating to a newer version that includes a fix for this issue, as the current version does not properly check the result of the host name verification when connecting to an MQTT server using TLS. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Origin Validation Error

Improper Handling of Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-346CWE-755

Related Identifiers

CVE-2019-11777

GHSA-63QC-P2X4-9FGF

Affected Products

Eclipse Paho Java Client Library

PT-2019-12494 · Eclipse · Eclipse Paho Java Client Library

CVE-2019-11777

Weakness Enumeration

Related Identifiers

Affected Products

References · 4