#VU78253 Origin validation error in paho.mqtt.java - CVE-2019-11777

Cybersecurity Help s.r.o.

Published: 2023-07-14

Vulnerability identifier: #VU78253

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-11777

CWE-ID: CWE-346

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
paho.mqtt.java
Other software / Other software solutions

Vendor: Eclipse

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

paho.mqtt.java: 1.2.0

External links
https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM TXSeries for Multiplatforms update for Eclipse Paho Java

IBM B2B Advanced Communications update for paho.mqtt.java

Origin validation error in IBM Spectrum Protect Plus

Origin validation error in IBM CICS TX Standard

Origin validation error in IBM CICS TX Advanced

Multiple vulnerabilities in IBM Maximo Application Suite - Manage Component