CVE-2019-11777

EUVD-2019-0656
In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
Affected Products (NVD)
VendorProductVersion
eclipsepaho_java_client
1.2.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934
https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934