data/reports/GO-2021-0083.yaml - vulndb - Git at Google

 modules:
   - module: github.com/hybridgroup/gobot
     versions:
       - fixed: 1.12.1-0.20190521122906-c1aa4f867846
     vulnerable_at: 1.12.1-0.20190521122836-07d9e09b1ea5
     packages:
       - package: github.com/hybridgroup/gobot/platforms/mqtt
         symbols:
           - Adaptor.newTLSConfig
         derived_symbols:
           - Adaptor.Connect
 summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
 description: |
     TLS certificate verification is skipped when connecting to a MQTT server.
     This allows an attacker who can MITM the connection to read, or forge,
     messages passed between the client and server.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2019-12496
 ghsas:
   - GHSA-vfxc-r2gx-v2vq
 references:
   - fix: https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f
   - web: https://github.com/hybridgroup/gobot/releases/tag/v1.13.0
	modules:
	- module: github.com/hybridgroup/gobot
	versions:
	- fixed: 1.12.1-0.20190521122906-c1aa4f867846
	vulnerable_at: 1.12.1-0.20190521122836-07d9e09b1ea5
	packages:
	- package: github.com/hybridgroup/gobot/platforms/mqtt
	symbols:
	- Adaptor.newTLSConfig
	derived_symbols:
	- Adaptor.Connect
	summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
	description: \|
	TLS certificate verification is skipped when connecting to a MQTT server.
	This allows an attacker who can MITM the connection to read, or forge,
	messages passed between the client and server.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2019-12496
	ghsas:
	- GHSA-vfxc-r2gx-v2vq
	references:
	- fix: https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f
	- web: https://github.com/hybridgroup/gobot/releases/tag/v1.13.0