CVE-2017-5887
HIGHStarscream < 2.0.3 - SSL Pinning Bypass via Late Certificate Validation
Title source: llmDescription
WebSocket.swift in Starscream before 2.0.4 allows an SSL Pinning bypass because pinning occurs in the stream function (this is too late; pinning should occur in the initStreamsWithData function).
References (3)
Core 3
Core References
Mailing List x_refsource_misc
http://seclists.org/bugtraq/2017/Apr/67
Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/daltoniam/Starscream/releases/tag/2.0.4
Patch, Third Party Advisory x_refsource_confirm
https://github.com/daltoniam/Starscream/commit/dbeb1190b8dcbff4f0b797f9e9d9b9b864d1f0d6
Scores
CVSS v3
7.5
EPSS
0.0140
EPSS Percentile
68.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-295
Status
published
Products (1)
starscream_project/starscream
< 2.0.3
Published
Apr 06, 2017
Tracked Since
Feb 18, 2026