CVE-2018-20200 Information
Description
LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks DISPUTED LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don’t consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967.
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Reference
https://cxsecurity.com/issue/WLB-2018120252 https://github.com/square/okhttp/commits/master https://github.com/square/okhttp/issues/4967 https://github.com/square/okhttp/releases https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@3Cdev.drill.apache.org3E https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@3Cdev.drill.apache.org3E https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@3Cissues.drill.apache.org3E https://lists.apache.org/thread.html/r0dd7ff197b2e3bdd80a0326587ca3d0c22e10d1dba17c769d6da7d7a@3Cuser.flink.apache.org3E https://lists.apache.org/thread.html/r71100f23778d72fbd8be8baa6baffc159b9c4f3fae3db4826bdc8ab8@3Cissues.flink.apache.org3E https://lists.apache.org/thread.html/r78bfce980843be61a55615a7680bbf7ac751a9b3515231eab2d32068@3Cissues.flink.apache.org3E https://lists.apache.org/thread.html/rc436d58531754ac8fe20340044566518ea4dce66aeff9193356a225d@3Cissues.flink.apache.org3E https://lists.apache.org/thread.html/recce57e195fbdd856dcf1933c136a8a66d7b02e05e3580f44d75a640@3Cissues.flink.apache.org3E https://lists.apache.org/thread.html/rfd1eed12ba2a5dff37229edd60fc84a25517815d848994146a15af91@3Cissues.flink.apache.org3E https://square.github.io/okhttp/3.x/okhttp/
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
NONE
Base Severity
5.9
Share on: