VDB
CVE-2018-20200
CVE-2018-20200
PUBLISHED
CVSS 5.900000095367432 MEDIUM
CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application.
EPSS 0.29% · 53.1th percentile
Risk Scores
CVSS 3.0
5.900000095367432
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
0.29%
53.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| squareup | okhttp | 3.0.0 |
Timeline
- Apr 18, 2019 CVE Published
- Dec 16, 2020 CVE Updated
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
References
- https://cxsecurity.com/issue/WLB-2018120252 url
- https://square.github.io/okhttp/3.x/okhttp/ url
- https://github.com/square/okhttp/releases url
- https://github.com/square/okhttp/commits/master url
- https://github.com/square/okhttp/issues/4967 url
- [drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities mailing-list
- [drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities mailing-list
- [drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities mailing-list
- [flink-user] 20201022 Dependency vulnerabilities with flink 1.11.1 version mailing-list
- [flink-issues] 20201023 [jira] [Assigned] (FLINK-19784) Upgrade okhttp to 3.13.0 or newer due to CVE-2018-20200 mailing-list
- [flink-issues] 20201023 [jira] [Commented] (FLINK-19784) Upgrade okhttp to 3.13.0 or newer due to CVE-2018-20200 mailing-list
- [flink-issues] 20201023 [jira] [Updated] (FLINK-19784) Upgrade okhttp to 3.13.0 or newer due to CVE-2018-20200 mailing-list
- [flink-issues] 20201026 [jira] [Closed] (FLINK-19784) Upgrade okhttp to 3.13.0 or newer due to CVE-2018-20200 mailing-list
- [flink-issues] 20201026 [jira] [Commented] (FLINK-19784) Upgrade okhttp to 3.13.0 or newer due to CVE-2018-20200 mailing-list
- [pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list mailing-list
- https://lists.apache.org/thread.html/recce57e195fbdd856dcf1933c136a8a66d7b02e05e3580f44d75a640@%3Cissues.flink.apache.org%3E url
- https://nvd.nist.gov/vuln/detail/CVE-2018-20200 advisory
- https://square.github.io/okhttp/3.x/okhttp url
- https://lists.apache.org/thread.html/rfd1eed12ba2a5dff37229edd60fc84a25517815d848994146a15af91@%3Cissues.flink.apache.org%3E url
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E url
…and 7 more