GHSA-3cqm-mf7h-prrj

Suggest an improvement
Source
https://github.com/advisories/GHSA-3cqm-mf7h-prrj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3cqm-mf7h-prrj/GHSA-3cqm-mf7h-prrj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3cqm-mf7h-prrj
Aliases
Downstream
Published
2022-05-24T17:41:45Z
Modified
2025-11-13T17:12:40.385769Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Square OkHttp can accept the wrong certificate
Details

In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android ID: A-171980069

Database specific 
{
    "nvd_published_at": "2021-02-10T17:15:00Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "HIGH",
    "github_reviewed_at": "2025-11-13T16:34:06Z"
}
References

Affected packages

Maven / com.squareup.okhttp3:okhttp

Package

Name
com.squareup.okhttp3:okhttp
View open source insights on deps.dev
Purl
pkg:maven/com.squareup.okhttp3/okhttp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.9.2

Affected versions

3.*

3.0.0-RC1
3.0.0
3.0.1
3.1.0
3.1.1
3.1.2
3.2.0
3.3.0
3.3.1
3.4.0-RC1
3.4.0
3.4.1
3.4.2
3.5.0
3.6.0
3.7.0
3.8.0
3.8.1
3.9.0
3.9.1
3.10.0
3.11.0
3.12.0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.5
3.12.6
3.12.7
3.12.8
3.12.9
3.12.10
3.12.11
3.12.12
3.12.13
3.13.0
3.13.1
3.14.0
3.14.1
3.14.2
3.14.3
3.14.4
3.14.5
3.14.6
3.14.7
3.14.8
3.14.9

4.*

4.0.0-alpha01
4.0.0-alpha02
4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.0.0
4.0.1
4.1.0
4.1.1
4.2.0
4.2.1
4.2.2
4.3.0
4.3.1
4.4.0
4.4.1
4.5.0-RC1
4.5.0
4.6.0
4.7.0
4.7.1
4.7.2
4.8.0
4.8.1
4.9.0
4.9.1