Subject: CVE request - OkHttp Certificate Pining Bypass
Date: Wednesday 10th February 2016 21:35:17 UTC (over 2 years ago)
A vulnerability was discovered in OkHttp that allows an attacker to bypass certificate pinning. OkHttp did not validate that the pinned certificate was in the chain to a trusted certificate authority. This resulted in an attacker being able to present a certificate chain with a certificate issued by one trusted certificate authority, and additionally including the pinned certificate authority. Because the pinned certificate was present, and the certificate was issued by a trusted certificate authority, the server's certificate was accepted. However, it should not have been accepted as the pinned certificate was not in the trust chain. This allows an attacker to obtain a certificate from a non-pinned but trusted CA, then have OkHttp connect to that server, bypassing certificate pinning.