Authorization Bypass in Eclipse Hono AMQP and MQTT Protocol Adapters
CVE-2020-27220

8.8HIGH

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Hono
Vendor: CVE Published:; 14 January 2021

What is CVE-2020-27220?

The Eclipse Hono AMQP and MQTT protocol adapters have a critical oversight in their authorization checks. These adapters fail to verify whether an authenticated gateway device is permitted to receive command and control messages directed at other devices. Specifically, a gateway device may process messages intended for a specific device without confirming that it has the necessary permissions to act on behalf of that device. This vulnerability can be exploited by an authenticated device of the same tenant, potentially allowing it to intercept command messages intended for another device. As a result, unauthorized actions may occur, leading to a potential compromise of device integrity and security within the same tenant environment.

Affected Version(s)

Eclipse Hono 1.4.0 to 1.4.4 inclusive, 1.5.0

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=569856

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 14, 2021
Vulnerability Reserved
Oct 19, 2020

The Eclipse Foundation

What is CVE-2020-27220?

Affected Version(s)

References

CVSS V3.1

Timeline