CertificatePinner.java in OkHttp 3.x up to and including 3.12.0 allows man-in-the-middle malicious users to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in github.com/square/okhttp/issues/4967
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
squareup okhttp |