In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information. Upstream bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=549934 Upstream issue: https://github.com/eclipse/paho.mqtt.java/issues/506 Upstream patch: https://github.com/CVEProject/cvelist/pull/2537
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11777