CVE-2019-11777

HIGH

Eclipse Paho Java client lib <1.2.0 - SSRF

Title source: llm
STIX 2.1

Description

In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.

References (1)

Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934

Scores

CVSS v3 7.5
EPSS 0.0083
EPSS Percentile 53.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-346 CWE-755
Status published
Products (2)
eclipse/paho_java_client 1.2.0
org.eclipse.paho/org.eclipse.paho.client.mqttv3 0 - 1.2.1Maven
Published Sep 11, 2019
Tracked Since Feb 18, 2026