TLS Host Name Verification Bypass in Eclipse Paho Java Client Library 1.2.0

TLS Host Name Verification Bypass in Eclipse Paho Java Client Library 1.2.0

CVE-2019-11777 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.

Learn more about our Cis Benchmark Audit For Server Software.