lcimeni
commented
3 years ago Update: This finding has been marked as ‘Pass’ by Lorenz Cimeni, so no additional action required.
Powered by NowSecure Platform
Open lcimeni opened 3 years ago
lcimeni
commented
3 years ago Update: This finding has been marked as ‘Pass’ by Lorenz Cimeni, so no additional action required.
Powered by NowSecure Platform
lcimeni
commented
3 years ago Update: This finding has been permanently hidden by Lorenz Cimeni, so no additional action required.
Powered by NowSecure Platform
lcimeni
commented
3 years ago Update: The risk severity (CVSS score) of this finding has been modified from 5.9 to 8.88 by Lorenz Cimeni.
Powered by NowSecure Platform
lcimeni
commented
3 years ago Update: The risk severity (CVSS score) of this finding has been modified from 8.88 to 8.8888 by Lorenz Cimeni.
Powered by NowSecure Platform
Finding Description
The application was found to be using a vulnerable version of the OkHttp library. This indicates that an attacker could bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate. OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers on the same local or upstream network to bypass certificate pinning and potentially intercept and modify network data.
Steps to Reproduce
During static analysis, the binary is searched for vulnerable versions of the third-party library OkHTTP.
Business Impact
The app is using a 3rd party library to communicate which is not secure. A malicious actor could remotely see and modify information coming to and from the app, potentially from multiple users at once.
Remediation Resources
Update the version of OkHttp used in the application to 4+.
Risk and Regulatory Information
Severity: medium CVSS: 5.9
Application
See more detail in the NowSecure Report