Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.9
CVSSv3

CVE-2016-2402

Published: 30/01/2017 Updated: 07/11/2023
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 384
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

OkHttp prior to 2.7.4 and 3.x prior to 3.1.2 allows man-in-the-middle malicious users to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

squareup okhttp3 3.0.0

squareup okhttp3 3.0.1

squareup okhttp3 3.1.0

squareup okhttp3 3.1.1

squareup okhttp

Github Repositories

https://github.com/DimSim101/Xam-Sec

Testing Vulnerable libraries in Xamarin Project - using OWASP dependency-check and SafeNuGet

#Xamarin Security - Vulnerable App: Xamarin Cross Platform App - currently Android only - which imports two vulnerable libraries: 1 SystemNetSecurity: 430 2 SquareOkHTTP3: 301 Checking vulnerabilities using OWASP dependency-check and SafeNuGet Steps to install / run solution: Import the solution to a Xamarin / C# compatible IDE (ie Visual Studio / Xamarin Studio)

https://github.com/ikoz/cert-pinning-flaw-poc

Simple script for testing CVE-2016-2402 and similar flaws

cert pinning flaw POC Simple POC script for testing CVE-2016-2402 and similar flaws Read my blog post for details This utility will set up a HTTPS server that servers a malicious certificate chain to the client for a specific domain If traffic from an app with a vulnerable certificate pinning implementation is redirected to this server, the pinning control will be bypassed a

https://github.com/ikoz/certPinningVulnerableOkHttp

OkHttp sample app vulnerable to CVE-2016-2402

OkHttp simple-client app vulnerable to CVE-2016-2402 This is a fork of the default simple-client from the okhttp project Simple-client is a Java app that just does a GET request to apigithubcom and fetches the names of okhttp's contributors This fork has been edited so that OkHttp 301 is used for networking connections and certificate pinning is also used Ok

References

CWE-295https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/https://koz.io/pinning-cve-2016-2402/http://www.openwall.com/lists/oss-security/2016/02/18/7http://www.openwall.com/lists/oss-security/2016/02/10/8https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3Ehttps://nvd.nist.govhttps://github.com/DimSim101/Xam-Sec
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
authentication bypassCVE-2024-30043cameraCVE-2023-40404CVE-2024-2793client sideCVE-2024-4469CVE-2024-3565CVE-2024-29825
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook