-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
RubyRubyMiggo AIRoot Cause AnalysisThe vulnerability lies in the lack of hostname verification in the ruby-mqtt client, which could allow a Man-in-the-Middle attack. The analysis of the commits between the vulnerable version 0.6.0 and the patched version 0.7.0 revealed that the fix was implemented in commit 75c70e6a142472db639a3f9dd8faf2e3f4a9af06. This commit introduces a new attribute verify_host which defaults to true and adds a call to @socket.post_connection_check(@host) inside the connect method of the MQTT::Client class. This function call is what performs the hostname verification. Therefore, the MQTT::Client.connect function was the vulnerable function as it was responsible for setting up the connection without proper validation.
MQTT::Client.connectlib/mqtt/client.rb
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mqtt | rubygems | < 0.7.0 | 0.7.0 |
Ongoing coverage of React2Shell