blob: 6d0e45a9bce2db88dfb3699611ab2ee4af5c74ef [file] [log] [blame]
id: GO-2021-0083
modules:
- module: github.com/hybridgroup/gobot
versions:
- fixed: 1.12.1-0.20190521122906-c1aa4f867846
vulnerable_at: 1.12.1-0.20190521122836-07d9e09b1ea5
packages:
- package: github.com/hybridgroup/gobot/platforms/mqtt
symbols:
- Adaptor.newTLSConfig
derived_symbols:
- Adaptor.Connect
summary: Improper certificate validation in github.com/hybridgroup/gobot
description: |-
TLS certificate verification is skipped when connecting to a MQTT server. This
allows an attacker who can MITM the connection to read, or forge, messages
passed between the client and server.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2019-12496
ghsas:
- GHSA-vfxc-r2gx-v2vq
references:
- fix: https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f
- web: https://github.com/hybridgroup/gobot/releases/tag/v1.13.0
review_status: REVIEWED