Miggo Logo
Miggo Vulnerability Database
CVE-2019-11777

CVE-2019-11777: Improper Handling of Exceptional Conditions and Origin Validation Error in Eclipse Paho Java client library

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-11777
GHSA ID
GHSA-63qc-p2x4-9fgf
EPSS Score
0.78986%
CWE
CWE-346
Published
9/17/2019
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.eclipse.paho:org.eclipse.paho.client.mqttv3maven< 1.2.11.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unverified HostnameVerifier results in SSL handshake handling. Both SSLNetworkModule.start() methods in MQTTv3 and MQTTv5 implementations called hostnameVerifier.verify() without checking its return value, allowing invalid SSL sessions to proceed. The patches add explicit result checking and error handling. These start() methods would appear in runtime profiles during TLS connection establishment when hostname validation occurs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In t** **lips* P**o J*v* *li*nt li*r*ry v*rsion *.*.*, w**n *onn**tin* to *n MQTT s*rv*r usin* TLS *n* s*ttin* * *ost n*m* v*ri*i*r, t** r*sult o* t**t v*ri*i**tion is not ****k**. T*is *oul* *llow on* MQTT s*rv*r to imp*rson*t* *not**r *n* provi** t

Reasoning

T** vuln*r**ility st*ms *rom unv*ri*i** *ostn*m*V*ri*i*r r*sults in SSL **n*s**k* **n*lin*. *ot* `SSLN*tworkMo*ul*.st*rt()` m*t*o*s in `MQTTv*` *n* `MQTTv*` impl*m*nt*tions **ll** `*ostn*m*V*ri*i*r.v*ri*y()` wit*out ****kin* its r*turn v*lu*, *llowin