Square · Okhttp · CVE-2016-2402
**Name of the Vulnerable Software and Affected Versions**
OkHttp versions 2.7.3 and earlier, OkHttp versions 3.x before 3.1.2
**Description**
The issue allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate. This is related to errors in the certificate authentication procedure, which can be exploited by a remote attacker to bypass existing security restrictions and implement a man-in-the-middle attack.
**Recommendations**
For OkHttp versions 2.7.3 and earlier, update to version 2.7.4 or later.
For OkHttp versions 3.x before 3.1.2, update to version 3.1.2 or later.