CVE-2015-3996

Name of the Vulnerable Software and Affected Versions AFNetworking framework versions prior to 2.5.3

Description The issue concerns the default configuration of AFSecurityPolicy.validatesDomainName for AFSSLPinningModeNone in the AFNetworking framework. This configuration disables the verification of a server's hostname against the domain name in the subject's Common Name (CN) of the X.509 certificate. As a result, it allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Recommendations For AFNetworking framework versions prior to 2.5.3, update to version 2.5.3 or later to enable the verification of a server's hostname against the domain name in the subject's Common Name (CN) of the X.509 certificate.