John Kozyrakis

**Name of the Vulnerable Software and Affected Versions** OkHttp versions 2.7.3 and earlier, OkHttp versions 3.x before 3.1.2 **Description** The issue allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate. This is related to errors in the certificate authentication procedure, which can be exploited by a remote attacker to bypass existing security restrictions and implement a man-in-the-middle attack. **Recommendations** For OkHttp versions 2.7.3 and earlier, update to version 2.7.4 or later. For OkHttp versions 3.x before 3.1.2, update to version 3.1.2 or later.