Miggo Logo
Miggo Vulnerability Database
CVE-2016-2402

CVE-2016-2402: Improper Certificate Validation in OkHttp

5.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2016-2402
GHSA ID
GHSA-4hc2-jh7r-wrc3
EPSS Score
0.93129%
CWE
CWE-295
Published
5/13/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.squareup.okhttp3:okhttpmaven<= 2.7.32.7.4
com.squareup.okhttp3:okhttpmaven>= 3.0.0, <= 3.1.13.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from OkHttp's certificate pinning implementation validating against the server's presented certificate chain rather than the system-trusted chain. The CertificatePinner.check() method in vulnerable versions used peer certificates (untrusted raw chain) instead of the validated local certificates. This allowed MITM attackers to craft a chain containing both a trusted CA certificate and the pinned certificate, tricking the validation. The fix involved switching to the validated chain, as confirmed by vulnerability descriptions and technical analyses of the attack mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ok*ttp ***or* *.*.* *n* *.x ***or* *.*.* *llows m*n-in-t**-mi**l* *tt**k*rs to *yp*ss **rti*i**t* pinnin* *y s*n*in* * **rti*i**t* ***in wit* * **rti*i**t* *rom * non-pinn** trust** ** *n* t** pinn** **rti*i**t*.

Reasoning

T** vuln*r**ility st*ms *rom Ok*ttp's **rti*i**t* pinnin* impl*m*nt*tion v*li**tin* ***inst t** s*rv*r's pr*s*nt** **rti*i**t* ***in r*t**r t**n t** syst*m-trust** ***in. T** `**rti*i**t*Pinn*r.****k()` m*t*o* in vuln*r**l* v*rsions us** p**r **rti*i