CVE-2016-2402 - Vulnerability Details - OpenCVE

OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Squareup	Okhttp Okhttp3

Configuration 1 [-]

OR	cpe:2.3:a:squareup:okhttp::::::::
	cpe:2.3:a:squareup:okhttp3:3.0.0:::::::*
	cpe:2.3:a:squareup:okhttp3:3.0.0:rc1::::::
	cpe:2.3:a:squareup:okhttp3:3.0.1:::::::*
	cpe:2.3:a:squareup:okhttp3:3.1.0:::::::*
	cpe:2.3:a:squareup:okhttp3:3.1.1:::::::*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2016/02/10/8
http://www.openwall.com/lists/oss-security/2016/02/18/7
https://koz.io/pinning-cve-2016-2402/
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-01-30T22:00:00

Updated: 2024-08-05T23:24:49.347Z

Reserved: 2016-02-17T00:00:00

Link: CVE-2016-2402

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-01-30T22:59:00.390

Modified: 2025-04-20T01:37:25.860

Link: CVE-2016-2402

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-02-10T00:00:00", "descriptions": [{"lang": "en", "value": "OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-16T05:06:12", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://koz.io/pinning-cve-2016-2402/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/"}, {"name": "[oss-security] 20160210 CVE request - OkHttp Certificate Pining Bypass", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/02/10/8"}, {"name": "[oss-security] 20160217 Re: CVE request - OkHttp Certificate Pining Bypass", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/02/18/7"}, {"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-2402", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://koz.io/pinning-cve-2016-2402/", "refsource": "MISC", "url": "https://koz.io/pinning-cve-2016-2402/"}, {"name": "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/", "refsource": "CONFIRM", "url": "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/"}, {"name": "[oss-security] 20160210 CVE request - OkHttp Certificate Pining Bypass", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/02/10/8"}, {"name": "[oss-security] 20160217 Re: CVE request - OkHttp Certificate Pining Bypass", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/02/18/7"}, {"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T23:24:49.347Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://koz.io/pinning-cve-2016-2402/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/"}, {"name": "[oss-security] 20160210 CVE request - OkHttp Certificate Pining Bypass", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/02/10/8"}, {"name": "[oss-security] 20160217 Re: CVE request - OkHttp Certificate Pining Bypass", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/02/18/7"}, {"name": "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-2402", "datePublished": "2017-01-30T22:00:00", "dateReserved": "2016-02-17T00:00:00", "dateUpdated": "2024-08-05T23:24:49.347Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squareup:okhttp:*:*:*:*:*:*:*:*", "matchCriteriaId": "770E740C-33B8-4A51-B55F-B240F33960BD", "versionEndIncluding": "2.7.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:squareup:okhttp3:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4AD815F-E998-4C8D-B64C-B5C6E0750D3D", "vulnerable": true}, {"criteria": "cpe:2.3:a:squareup:okhttp3:3.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "D6367344-FB92-46BE-B460-423573309C88", "vulnerable": true}, {"criteria": "cpe:2.3:a:squareup:okhttp3:3.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "37FD7BC3-0E9A-4BFE-9058-8C55A495EF2C", "vulnerable": true}, {"criteria": "cpe:2.3:a:squareup:okhttp3:3.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA32D418-4F2A-4CE8-9AE0-5168B7DDF7A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:squareup:okhttp3:3.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "AA482A17-1951-4725-90C5-CCD39CD4A220", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate."}, {"lang": "es", "value": "OkHttp antes de 2.7.4 y 3.x antes de 3.1.2 permite que los atacantes man-in-the-middle eludan la fijaci\u00f3n de certificados enviando una cadena de certificados con un CA no fijado confiable y el certificado fijado."}], "id": "CVE-2016-2402", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-01-30T22:59:00.390", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/02/10/8"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/02/18/7"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://koz.io/pinning-cve-2016-2402/"}, {"source": "cve@mitre.org", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/02/10/8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/02/18/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://koz.io/pinning-cve-2016-2402/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}