Description

In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.

Remediation

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934

Related Vulnerabilities

CVE-2020-14340 Vulnerability in maven package org.jboss.xnio:xnio-nio

CVE-2020-1963 Vulnerability in maven package org.apache.ignite:ignite-core

CVE-2023-33003 Vulnerability in maven package org.jenkins-ci.plugins:tag-profiler

CVE-2023-43961 Vulnerability in maven package cn.dev33:sa-token-core

CVE-2023-22665 Vulnerability in maven package org.apache.jena:jena-arq

Severity

High

Classification

CWE-346 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory