CVE-2016-2402
Improper Certificate Validation in OkHttp
5.9
MEDIUM
CVSS 3.1
EPSS 2.7%
Description
OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.
How to fix CVE-2016-2402
To remediate CVE-2016-2402, upgrade the affected package to a fixed version below.
- Maven/com.squareup.okhttp3:okhttp—upgrade to 2.7.4 or later
Is CVE-2016-2402 being exploited?
Low — EPSS is 2.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.7.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |