CVE-2020-27220

CVE-2020-27220

Vendor The Eclipse Foundation
Product Eclipse Hono
Weakness CWE-862 · Missing authorization
Published January 14, 2021
Last update August 4, 2024

CVSS base score

What the vulnerability does

01Description

The Eclipse Hono AMQP and MQTT protocol adapters do not check whether an authenticated gateway device is authorized to receive command & control messages when it has subscribed only to commands for a specific device. The missing check involves verifying that the command target device is configured giving permission for the gateway device to act on its behalf. This means an authenticated device of a certain tenant, notably also a non-gateway device acting like a gateway, may receive command & control messages targeted at a different device of the same tenant without corresponding permissions getting checked.

Key dates

02Disclosure timeline

January 14, 2021 CVE published
August 4, 2024 Record updated