CVE-2016-2402: Medium severity squareup Okhttp vulnerability
Published Jan 30, 2017
·Updated
OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.
Affected Software
6 affected components
squareup Okhttp<=2.7.3
squareup Okhttp3=3.0.0
squareup Okhttp3=3.0.0-rc1
squareup Okhttp3=3.0.1
squareup Okhttp3=3.1.0
squareup Okhttp3=3.1.1
Event History
Jan 30, 2017
CVE Published
via MITRE·10:00 PM
Data Sourced
via MITRE·10:00 PM
Description
Data Sourced
via NVD·10:59 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2016-2402?
CVE-2016-2402 is classified as a high-severity vulnerability due to its potential to allow man-in-the-middle attacks.
2
How do I fix CVE-2016-2402?
To fix CVE-2016-2402, you should upgrade to OkHttp version 2.7.4 or 3.1.2 or later.
3
What versions of OkHttp are affected by CVE-2016-2402?
CVE-2016-2402 affects OkHttp versions prior to 2.7.4 and all 3.x versions before 3.1.2.
4
What type of attack does CVE-2016-2402 exploit?
CVE-2016-2402 exploits a vulnerability that allows man-in-the-middle attackers to bypass certificate pinning.
5
Is CVE-2016-2402 specific to certain environments?
CVE-2016-2402 is specific to applications using vulnerable versions of OkHttp in any environment that implements certificate pinning.