CVE-2016-2402
MEDIUMOkHttp < 2.7.4 and 3.x < 3.1.2 - Certificate Pinning Bypass via Trusted CA Certificate Chain
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2016-2402. PoCs published by ikoz.
AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2016-2402, a certificate pinning bypass vulnerability. The script sets up a malicious HTTPS server that serves a crafted certificate chain to intercept traffic from vulnerable applications.
Description
OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.
Exploits (2)
This repository contains a functional proof-of-concept exploit for CVE-2016-2402, a certificate pinning bypass vulnerability. The script sets up a malicious HTTPS server that serves a crafted certificate chain to intercept traffic from vulnerable applications.
This repository contains a functional PoC demonstrating CVE-2016-2402, a certificate pinning bypass vulnerability in OkHttp 3.0.1. The app uses OkHttp with certificate pinning enabled but is vulnerable due to improper validation, allowing MITM attacks.
References (5)
Scores
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N