PT-2016-3433 · Square · Okhttp

John Kozyrakis

Published

2016-02-10

Updated

2022-05-13

CVE-2016-2402

CVSS v2.0

7.1

High

Vector

AV:N/AC:M/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions OkHttp versions 2.7.3 and earlier, OkHttp versions 3.x before 3.1.2

Description The issue allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate. This is related to errors in the certificate authentication procedure, which can be exploited by a remote attacker to bypass existing security restrictions and implement a man-in-the-middle attack.

Recommendations For OkHttp versions 2.7.3 and earlier, update to version 2.7.4 or later. For OkHttp versions 3.x before 3.1.2, update to version 3.1.2 or later.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

BDU:2022-04756

CVE-2016-2402

GHSA-4HC2-JH7R-WRC3

Affected Products

Okhttp

PT-2016-3433 · Square · Okhttp

CVE-2016-2402

Weakness Enumeration

Related Identifiers

Affected Products

References · 16