Vulnerability Details : CVE-2019-11777
In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.
Products affected by CVE-2019-11777
- cpe:2.3:a:eclipse:paho_java_client:1.2.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11777
1.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11777
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-11777
-
The product does not properly verify that the source of data or communication is valid.Assigned by:
- emo@eclipse.org (Secondary)
- nvd@nist.gov (Primary)
-
The product does not handle or incorrectly handles an exceptional condition.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11777
-
https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934
549934 – (CVE-2019-11777) Request for CVE in known hostname validation vulnerability in the MQTT libraryIssue Tracking;Vendor Advisory
Jump to