CVE-2020-11050

Name of the Vulnerable Software and Affected Versions Java-WebSocket versions 1.4.1 and earlier

Description The issue is related to an improper validation of certificates with host mismatch, where the WebSocketClient does not perform SSL hostname validation. This means that SSL certificates of other hosts are accepted as long as they are trusted. To exploit this, an attacker has to perform a man-in-the-middle (MITM) attack between a Java application using the Java-WebSocket Client and a WebSocket server it's connecting to. Normally, TLS protects users and systems against MITM attacks, but it cannot if certificates from other trusted hosts are accepted by the client.

Recommendations For Java-WebSocket versions 1.4.1 and earlier, update to version 1.5.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of SSL certificates from other trusted hosts until a patch is available. Restrict access to the WebSocketClient to minimize the risk of exploitation. Avoid using the WebSocketClient in environments where MITM attacks are a significant concern until the issue is resolved.