What is CVE-2018-20200?

CVE-2018-20200 is a vulnerability in OkHttp 3.x through 3.12.0 that allows man-in-the-middle attackers to bypass certificate pinning.

How severe is CVE-2018-20200?

CVE-2018-20200 has a severity rating of 5.9, which is considered medium.

What is the affected software for CVE-2018-20200?

The affected software for CVE-2018-20200 is OkHttp versions 3.0.0 through 3.12.0.

How can an attacker exploit CVE-2018-20200?

An attacker can exploit CVE-2018-20200 by changing the SSLContext and boolean values while hooking the application to bypass certificate pinning.

Are there any references for CVE-2018-20200?

Yes, you can find references for CVE-2018-20200 at the following links: [link 1](https://cxsecurity.com/issue/WLB-2018120252), [link 2](https://github.com/square/okhttp/commits/master), [link 3](https://github.com/square/okhttp/issues/4967).

Vulnerability/
CVE-2018-20200

medium

5.9

CWE

295

18/4/2019

5/8/2024

CVE-2018-20200

First published: Thu Apr 18 2019(Updated: )

** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
Squareup Okhttp	>=3.0.0<=3.12.0
	>=3.0.0<=3.12.0

Remedy

https://github.com/square/okhttp/commits/master

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2018-20200?
CVE-2018-20200 is a vulnerability in OkHttp 3.x through 3.12.0 that allows man-in-the-middle attackers to bypass certificate pinning.
How severe is CVE-2018-20200?
CVE-2018-20200 has a severity rating of 5.9, which is considered medium.
What is the affected software for CVE-2018-20200?
The affected software for CVE-2018-20200 is OkHttp versions 3.0.0 through 3.12.0.
How can an attacker exploit CVE-2018-20200?
An attacker can exploit CVE-2018-20200 by changing the SSLContext and boolean values while hooking the application to bypass certificate pinning.
Are there any references for CVE-2018-20200?
Yes, you can find references for CVE-2018-20200 at the following links: [link 1](https://cxsecurity.com/issue/WLB-2018120252), [link 2](https://github.com/square/okhttp/commits/master), [link 3](https://github.com/square/okhttp/issues/4967).

collector/nvd-index
agent/type
agent/first-publish-date
agent/remedy
agent/severity
agent/weakness
agent/references
agent/author
agent/status
agent/softwarecombine
agent/description
agent/event
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/last-modified-date
collector/mitre-cve
source/MITRE
status/disputed
vendor/squareup
canonical/squareup okhttp
version/squareup okhttp/3.0.0
version/squareup okhttp/3.12.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.