CVE-2019-11777 - OpenCVE

In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Eclipse	Paho Java Client

Configuration 1 [-]

cpe:2.3:a:eclipse:paho_java_client:1.2.0:*:*:*:*:*:*:*

References

Link	Resource
https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934	Issue Tracking Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: eclipse

Published: 2019-09-11T17:55:21

Updated: 2019-09-11T17:55:21

Reserved: 2019-05-06T00:00:00

Link: CVE-2019-11777

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-09-11T18:15:10.757

Modified: 2020-10-06T17:39:04.480

Link: CVE-2019-11777

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Eclipse Paho", "vendor": "The Eclipse Foundation", "versions": [{"status": "affected", "version": "1.2.0"}]}], "descriptions": [{"lang": "en", "value": "In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "description": "CWE-346: Origin Validation Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-09-11T17:55:21", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@eclipse.org", "ID": "CVE-2019-11777", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Eclipse Paho", "version": {"version_data": [{"version_affected": "=", "version_value": "1.2.0"}]}}]}, "vendor_name": "The Eclipse Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-346: Origin Validation Error"}]}]}, "references": {"reference_data": [{"name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934", "refsource": "CONFIRM", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934"}]}}}}, "cveMetadata": {"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2019-11777", "datePublished": "2019-09-11T17:55:21", "dateReserved": "2019-05-06T00:00:00", "dateUpdated": "2019-09-11T17:55:21", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:paho_java_client:1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "8C88F9B1-025B-49C0-8ADB-8CD4C89CF7F1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information."}, {"lang": "es", "value": "En la biblioteca del cliente Eclipse Paho Java versi\u00f3n 1.2.0, cuando se conecta con un servidor MQTT usando TLS y configura un verificador de nombre de host, el resultado de esta verificaci\u00f3n no es comprobada. Esto podr\u00eda permitir a un servidor MQTT hacerse pasar por otro y proveer a la biblioteca del cliente con informaci\u00f3n incorrecta."}], "id": "CVE-2019-11777", "lastModified": "2020-10-06T17:39:04.480", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-11T18:15:10.757", "references": [{"source": "emo@eclipse.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-346"}], "source": "emo@eclipse.org", "type": "Secondary"}]}