CVE-2018-20200Improper Certificate Validation in Okhttp

CWE-295Improper Certificate ValidationCWE-300Channel Accessible by Non-Endpoint8 documents6 sources
Severity
5.9MEDIUMNVD
EPSS
0.3%
top 47.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Squareup Okhttp
Timeline
PublishedApr 18
Latest updateMay 24

Description

CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages1 packages

NVDsquareup/okhttp3.0.03.12.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
GHSA-qvh7-2qrg-6v75: CertificatePinner2022-05-24
OSV
CVE-2018-20200: ** DISPUTED ** CertificatePinner2019-04-18
OSV
CVE-2018-20200: CertificatePinner2019-04-18
CVEList
CVE-2018-20200: CertificatePinner2019-04-18

📋Vendor Advisories

1
Red Hat
okhttp: certificate pinning bypass2019-04-19

💬Community

2
Bugzilla
CVE-2018-20200 okhttp: certificate pinning bypass2019-05-13
Bugzilla
CVE-2018-20200 okhttp: certificate pinning bypass [fedora-all]2019-05-13
CVE-2018-20200 — Improper Certificate Validation | cvebase