Description
In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.
Remediation
References
https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934
Related Vulnerabilities
CVE-2023-49145 Vulnerability in maven package org.apache.nifi:nifi-jolt-transform-json-ui
CVE-2021-28162 Vulnerability in npm package @wiptheia/core
CVE-2022-45935 Vulnerability in maven package org.apache.james:apache-james-mailbox-store
CVE-2020-11971 Vulnerability in maven package org.apache.camel:camel-spring