CVE-2019-11777

HIGH

Eclipse Paho Java client lib <1.2.0 - SSRF

Title source: llm

Description

In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.

References (1)

[Issue Tracking, Vendor Advisory] https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934

Scores

CVSS v3 7.5

EPSS 0.0173

EPSS Percentile 82.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-755 CWE-346

Status published

Affected Products (2)

eclipse/paho_java_client

org.eclipse.paho/org.eclipse.paho.client.mqttv3 < 1.2.1Maven

Timeline

Published Sep 11, 2019

Tracked Since Feb 18, 2026