CVE-2021-0341Improper Certificate Validation in Google Android

CWE-295Improper Certificate Validation8 documents7 sources
Severity
7.5HIGHNVD
EPSS
1.0%
top 22.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Platform External OkhttpPlatform LibcoreGoogle Android
Timeline
PublishedFeb 10
Latest updateMar 14

Description

In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

CVEListV5google/androidAndroid-8.1 Android-9 Android-10 Android-11
NVDgoogle/android4 versions+3
Androidplatform/libcore8.0:08.0:2021-02-01+4
Androidplatform/external_okhttp8.0:08.0:2021-02-01+4

Patches

Patch: source.android.comPatch: source.android.com

🔴Vulnerability Details

3
OSV
Square OkHttp can accept the wrong certificate2022-05-24
GHSA
Square OkHttp can accept the wrong certificate2022-05-24
OSV
CVE-2021-0341: In verifyHostName of OkHostnameVerifier2021-02-01

📋Vendor Advisories

4
CISA ICS
Siemens SIMATIC2024-03-14
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (OkHttp) — CVE-2021-03412024-01-15
Red Hat
okhttp: information disclosure via improperly used cryptographic function2021-02-10
Android
CVE-2021-0341: Android Security Bulletin 2021-02-01 CVE: CVE-2021-0341 Severity: HIGH Type: ID Affected AOSP versions: 82021-02-01