CVE-2018-20200

MEDIUM Year: 2018
CVSS v3 Score
5.9
Medium
CVSS v2 Score
4.3
Medium
Weakness Type
CWE-295
View all →

Vulnerability Description

CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967

Related Vulnerabilities

CVE-2008-4989

MEDIUM
CVSS:5.9(Medium)

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certi...

CWE-2952008

CVE-2009-2408

MEDIUM
CVSS:5.9(Medium)

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the s...

CWE-2952009

CVE-2010-4237

MEDIUM
CVSS:5.9(Medium)

Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-middl...

CWE-2952010

CVE-2010-4532

MEDIUM
CVSS:5.9(Medium)

offlineimap before 6.3.2 does not check for SSL server certificate validation when "ssl = yes" option is specified which can allow man-in-the-middle attacks.

CWE-2952010

CVE-2011-0199

MEDIUM
CVSS:5.9(Medium)

The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle ...

CWE-2952011

CVE-2012-1316

MEDIUM
CVSS:5.9(Medium)

Cisco IronPort Web Security Appliance does not check for certificate revocation which could lead to MITM attacks

CWE-2952012