| id: GO-2021-0083 |
| modules: |
| - module: github.com/hybridgroup/gobot |
| versions: |
| - fixed: 1.12.1-0.20190521122906-c1aa4f867846 |
| vulnerable_at: 1.12.1-0.20190521122836-07d9e09b1ea5 |
| packages: |
| - package: github.com/hybridgroup/gobot/platforms/mqtt |
| symbols: |
| - Adaptor.newTLSConfig |
| derived_symbols: |
| - Adaptor.Connect |
| summary: Improper certificate validation in github.com/hybridgroup/gobot |
| description: |- |
| TLS certificate verification is skipped when connecting to a MQTT server. This |
| allows an attacker who can MITM the connection to read, or forge, messages |
| passed between the client and server. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2019-12496 |
| ghsas: |
| - GHSA-vfxc-r2gx-v2vq |
| references: |
| - fix: https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f |
| - web: https://github.com/hybridgroup/gobot/releases/tag/v1.13.0 |
| review_status: REVIEWED |