Vulnerability Description
WebSocket.swift in Starscream before 2.0.4 allows an SSL Pinning bypass because of incorrect management of the certValidated variable (it can be set to true but cannot be set to false).
CVSS Score
7.5
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Starscream Project | Starscream | <= 2.0.3 |
Related Weaknesses (CWE)
References
- http://seclists.org/bugtraq/2017/Apr/66
- https://github.com/daltoniam/Starscream/commit/dbeb1190b8dcbff4f0b797f9e9d9b9b86PatchThird Party Advisory
- https://github.com/daltoniam/Starscream/releases/tag/2.0.4Release NotesThird Party Advisory
- http://seclists.org/bugtraq/2017/Apr/66
- https://github.com/daltoniam/Starscream/commit/dbeb1190b8dcbff4f0b797f9e9d9b9b86PatchThird Party Advisory
- https://github.com/daltoniam/Starscream/releases/tag/2.0.4Release NotesThird Party Advisory
FAQ
What is CVE-2017-7192?
CVE-2017-7192 is a vulnerability with a CVSS score of 7.5 (HIGH). WebSocket.swift in Starscream before 2.0.4 allows an SSL Pinning bypass because of incorrect management of the certValidated variable (it can be set to true but cannot be set to false).
How severe is CVE-2017-7192?
CVE-2017-7192 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7192?
Check the references section above for vendor advisories and patch information. Affected products include: Starscream Project Starscream.