CVE-2018-20200: Medium severity squareup retrofit vulnerability

Q: What is CVE-2018-20200?

CVE-2018-20200 is a vulnerability in OkHttp 3.x through 3.12.0 that allows man-in-the-middle attackers to bypass certificate pinning.

Q: How severe is CVE-2018-20200?

CVE-2018-20200 has a severity rating of 5.9, which is considered medium.

Q: What is the affected software for CVE-2018-20200?

The affected software for CVE-2018-20200 is OkHttp versions 3.0.0 through 3.12.0.

Q: How can an attacker exploit CVE-2018-20200?

An attacker can exploit CVE-2018-20200 by changing the SSLContext and boolean values while hooking the application to bypass certificate pinning.

Q: Are there any references for CVE-2018-20200?

Yes, you can find references for CVE-2018-20200 at the following links: [link 1](https://cxsecurity.com/issue/WLB-2018120252), [link 2](https://github.com/square/okhttp/commits/master), [link 3](https://github.com/square/okhttp/issues/4967).

Published Apr 18, 2019

Updated

DISPUTED CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967.

Affected Software

1 affected component

squareup Okhttp>=3.0.0<=3.12.0

Remediation

Patch Available

https://github.com/square/okhttp/commits/master

Event History

Apr 18, 2019

CVE Published

via MITRE·06:31 PM

Data Sourced

via MITRE·06:31 PM

Description

Disputed

07:29 PM

Frequently Asked Questions

What is CVE-2018-20200?

CVE-2018-20200 is a vulnerability in OkHttp 3.x through 3.12.0 that allows man-in-the-middle attackers to bypass certificate pinning.

How severe is CVE-2018-20200?

CVE-2018-20200 has a severity rating of 5.9, which is considered medium.

What is the affected software for CVE-2018-20200?