CVE-2019-11777

In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:paho_java_client:1.2.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-09-11 18:15

Updated : 2023-12-10 12:59

NVD link : CVE-2019-11777

Mitre link : CVE-2019-11777

CVE.ORG link : CVE-2019-11777

JSON object : View

Products Affected

eclipse

paho_java_client

CWE

CWE-346

Origin Validation Error

CWE-755

Improper Handling of Exceptional Conditions

{"id": "CVE-2019-11777", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-09-11T18:15:10.757", "references": [{"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "emo@eclipse.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-755"}]}, {"type": "Secondary", "source": "emo@eclipse.org", "description": [{"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information."}, {"lang": "es", "value": "En la biblioteca del cliente Eclipse Paho Java versi\u00f3n 1.2.0, cuando se conecta con un servidor MQTT usando TLS y configura un verificador de nombre de host, el resultado de esta verificaci\u00f3n no es comprobada. Esto podr\u00eda permitir a un servidor MQTT hacerse pasar por otro y proveer a la biblioteca del cliente con informaci\u00f3n incorrecta."}], "lastModified": "2020-10-06T17:39:04.480", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:paho_java_client:1.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C88F9B1-025B-49C0-8ADB-8CD4C89CF7F1"}], "operator": "OR"}]}], "sourceIdentifier": "emo@eclipse.org"}