Vulnerability Description
OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Squareup | Okhttp | <= 2.7.3 |
| Squareup | Okhttp3 | 3.0.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2016/02/10/8Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2016/02/18/7Mailing ListThird Party Advisory
- https://koz.io/pinning-cve-2016-2402/Technical DescriptionThird Party Advisory
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995
- https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/Vendor Advisory
- http://www.openwall.com/lists/oss-security/2016/02/10/8Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2016/02/18/7Mailing ListThird Party Advisory
- https://koz.io/pinning-cve-2016-2402/Technical DescriptionThird Party Advisory
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995
- https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/Vendor Advisory
FAQ
What is CVE-2016-2402?
CVE-2016-2402 is a vulnerability with a CVSS score of 5.9 (MEDIUM). OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned ...
How severe is CVE-2016-2402?
CVE-2016-2402 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-2402?
Check the references section above for vendor advisories and patch information. Affected products include: Squareup Okhttp, Squareup Okhttp3.