https://bugzilla.redhat.com/show_bug.cgi?id=1709379
Bug ID: 1709379
Summary: CVE-2018-20200 okhttp: certificate pinning bypass
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190419,reported=20190419,sour
ce=cve,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/
I:L/A:N,cwe=CWE-300,fedora-all/okhttp=affected,openshi
ft-enterprise-3/okhttp=new,fuse-7/okhttp=new,rhpam-7/o
khttp=new,rhdm-7/okhttp=new,springboot-1/okhttp=new
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: msiddiqu(a)redhat.com
CC: ahardin(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
avibelli(a)redhat.com, bgeorges(a)redhat.com,
bleanhar(a)redhat.com, ccoleman(a)redhat.com,
chazlett(a)redhat.com, cmoulliard(a)redhat.com,
dedgar(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, gerard(a)ryan.lt, ibek(a)redhat.com,
ikanello(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jbalunas(a)redhat.com, jgoulding(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jpallich(a)redhat.com, jshepherd(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
lpetrovi(a)redhat.com, lthon(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
mnovotny(a)redhat.com, mszynkie(a)redhat.com,
paradhya(a)redhat.com, pgallagh(a)redhat.com,
puntogil(a)libero.it, rrajasek(a)redhat.com,
rruss(a)redhat.com, rsynek(a)redhat.com,
sdaley(a)redhat.com, trogers(a)redhat.com
Target Milestone: ---
Classification: Other
CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle
attackers to bypass certificate pinning by changing SSLContext and the boolean
values while hooking the application.
Upstream issue:
https://github.com/square/okhttp/issues/4967
References:
https://cxsecurity.com/issue/WLB-2018120252
https://github.com/square/okhttp/commits/master
https://github.com/square/okhttp/releases
https://square.github.io/okhttp/3.x/okhttp/
--
You are receiving this mail because:
You are on the CC list for the bug.