CVE-2019-11777 (High) detected in org.eclipse.paho.client.mqttv3-1.2.0.jar #70
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
security vulnerability
mend-for-github-com
bot
changed the title
|
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory. |
mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
mend-for-github-com
bot
changed the title
|
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2019-11777 - High Severity Vulnerability
The Paho project provides scalable open-source implementations of open and standard messaging protocols aimed at new, existing, and emerging applications for Machine to Machine (M2M) and Internet of Things (IoT).
Library home page: http://www.eclipse.org/paho
Path to dependency file: /pom.xml
Path to vulnerable library: /ory/org/eclipse/paho/org.eclipse.paho.client.mqttv3/1.2.0/org.eclipse.paho.client.mqttv3-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 72456065a443f2258660fde64bebd87fcbc170bb
Found in base branch: master
In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.
Publish Date: 2019-09-11
URL: CVE-2019-11777
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11777
Release Date: 2020-10-06
Fix Resolution: 1.2.1
The text was updated successfully, but these errors were encountered: