Vulnerability Name:

CVE-2018-20200

Assigned:2018-12-18
Published:2019-04-18
Updated:2020-12-16
Summary:** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application.
Note: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967.
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-295
References:Source: MITRE
Type: CNA
CVE-2018-20200

Source: MISC
Type: Exploit, Third Party Advisory
https://cxsecurity.com/issue/WLB-2018120252

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/square/okhttp/commits/master

Source: MISC
Type: UNKNOWN
https://github.com/square/okhttp/issues/4967

Source: MISC
Type: Product
https://github.com/square/okhttp/releases

Source: MLIST
Type: UNKNOWN
[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities

Source: MLIST
Type: UNKNOWN
[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities

Source: MLIST
Type: UNKNOWN
[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities

Source: MLIST
Type: UNKNOWN
[flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version

Source: MLIST
Type: UNKNOWN
[flink-issues] 20201023 [jira] [Assigned] (FLINK-19784) Upgrade okhttp to 3.13.0 or newer due to CVE-2018-20200

Source: MLIST
Type: UNKNOWN
[flink-issues] 20201026 [jira] [Commented] (FLINK-19784) Upgrade okhttp to 3.13.0 or newer due to CVE-2018-20200

Source: MLIST
Type: UNKNOWN
[flink-issues] 20201023 [jira] [Commented] (FLINK-19784) Upgrade okhttp to 3.13.0 or newer due to CVE-2018-20200

Source: MLIST
Type: UNKNOWN
[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list

Source: MLIST
Type: UNKNOWN
[flink-issues] 20201023 [jira] [Updated] (FLINK-19784) Upgrade okhttp to 3.13.0 or newer due to CVE-2018-20200

Source: MLIST
Type: UNKNOWN
[flink-issues] 20201026 [jira] [Closed] (FLINK-19784) Upgrade okhttp to 3.13.0 or newer due to CVE-2018-20200

Source: MISC
Type: Third Party Advisory
https://square.github.io/okhttp/3.x/okhttp/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:squareup:okhttp:*:*:*:*:*:*:*:* (Version >= 3.0.0 and <= 3.12.0)

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.cosmic:def:201820200000
    V
    		CVE-2018-20200 on Ubuntu 18.10 (cosmic) - medium.
    2019-04-18
    oval:com.ubuntu.disco:def:2018202000000000
    V
    		CVE-2018-20200 on Ubuntu 19.04 (disco) - medium.
    2019-04-18
    oval:com.ubuntu.bionic:def:201820200000
    V
    		CVE-2018-20200 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-04-18
    oval:com.ubuntu.cosmic:def:2018202000000000
    V
    		CVE-2018-20200 on Ubuntu 18.10 (cosmic) - medium.
    2019-04-18
    oval:com.ubuntu.bionic:def:2018202000000000
    V
    		CVE-2018-20200 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-04-18
    BACK
    squareup okhttp *