Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12ZnhjLXIyZ3gtdjJ2cc4AAg3I
Hybrid Group Gobot Improper Certificate Validation vulnerability
An issue was discovered in Hybrid Group Gobot before 1.13.0. The mqtt subsystem skips verification of root CA certificates by default.
Specific Go Packages Affected
github.com/hybridgroup/gobot/platforms/mqtt
Permalink: https://github.com/advisories/GHSA-vfxc-r2gx-v2vqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ZnhjLXIyZ3gtdjJ2cc4AAg3I
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Percentage: 0.00085
EPSS Percentile: 0.37726
Identifiers: GHSA-vfxc-r2gx-v2vq, CVE-2019-12496
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-12496
- https://github.com/hybridgroup/gobot/compare/ed53198...7f973df
- https://github.com/hybridgroup/gobot/releases/tag/v1.13.0
- https://github.com/hybridgroup/gobot/commit/c1aa4f867846da4669ecf3bc3318bd96b7ee6f3f
- https://pkg.go.dev/vuln/GO-2021-0083
- https://github.com/advisories/GHSA-vfxc-r2gx-v2vq
Blast Radius: 2.3
Affected Packages
go:github.com/hybridgroup/gobot
Dependent packages: 0Dependent repositories: 2
Downloads:
Affected Version Ranges: < 1.12.1-0.20190521122906-c1aa4f867846
Fixed in: 1.12.1-0.20190521122906-c1aa4f867846
All affected versions: 0.11.0, 0.12.0, 0.12.1, 0.13.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.12.0
All unaffected versions: 1.13.0, 1.14.0, 1.15.0, 1.16.0