Description

In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.

Remediation

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934

Related Vulnerabilities

CVE-2022-23305 Vulnerability in maven package log4j:log4j

CVE-2020-36186 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2023-31469 Vulnerability in maven package org.apache.streampipes:streampipes-rest

CVE-2017-1000452 Vulnerability in npm package express-saml2

CVE-2022-34777 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-plugin

Severity

High

Classification

CWE-346 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory