The Twitter Kit framework through 3.4.2 for iOS does not properly validate the api.twitter.com SSL certificate. Although the certificate chain must contain one of a set of pinned certificates, there are certain implementation errors such as a lack of hostname verification. NOTE: this is an end-of-life product.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"last_affected": "3.4.2"
}
],
"source": "CPE_RANGE",
"vendor_product": "twitter:twitter_kit",
"cpes": [
"cpe:2.3:a:twitter:twitter_kit:*:*:*:*:*:iphone_os:*:*"
]
}
]
}