Vulnerability

CVE-2021-0341

 Report advisory or correction

CVSS Score 7.5 high

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-295

References

https://github.com/square/okhttp/pull/6353
https://source.android.com/security/bulletin/2021-02-01#android-runtime
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0341

[CVE-2021-0341] CWE-295: Improper Certificate Validation

Description

In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069

See com.squareup.okhttp3/okhttp package information