CVE-2016-2402

Name of the Vulnerable Software and Affected Versions OkHttp versions 2.7.3 and earlier, OkHttp versions 3.x before 3.1.2

Description The issue allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate. This is related to errors in the certificate authentication procedure, which can be exploited by a remote attacker to bypass existing security restrictions and implement a man-in-the-middle attack.

Recommendations For OkHttp versions 2.7.3 and earlier, update to version 2.7.4 or later. For OkHttp versions 3.x before 3.1.2, update to version 3.1.2 or later.