Description
In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934
Scores
CVSS v3
7.5
EPSS
0.0128
EPSS Percentile
79.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-755
CWE-346
Status
published
Products (2)
eclipse/paho_java_client
1.2.0
org.eclipse.paho/org.eclipse.paho.client.mqttv3
0 - 1.2.1Maven
Published
Sep 11, 2019
Tracked Since
Feb 18, 2026