Description
In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.
Remediation
References
https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934
Related Vulnerabilities
CVE-2019-1003022 Vulnerability in maven package org.jvnet.hudson.plugins:monitoring
CVE-2020-2198 Vulnerability in maven package hudson.plugins:project-inheritance
CVE-2023-40178 Vulnerability in npm package @node-saml/node-saml
CVE-2023-29521 Vulnerability in maven package org.xwiki.platform:xwiki-platform-vfs-ui
CVE-2022-43670 Vulnerability in maven package org.apache.sling:org.apache.sling.cms