{"id":"CVE-2016-2402","details":"OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.","aliases":["GHSA-4hc2-jh7r-wrc3"],"modified":"2026-07-08T12:41:45.208610Z","published":"2017-01-30T22:59:00.390Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/02/10/8"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/02/18/7"},{"type":"ADVISORY","url":"https://koz.io/pinning-cve-2016-2402/"},{"type":"ADVISORY","url":"https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/square/okhttp","events":[{"introduced":"0"},{"last_affected":"2df2565bba8edac14070460bd9034aa281a94afc"},{"introduced":"c9b812a4ab75bfbf1e1de439ee719fa700a592f1"},{"last_affected":"0cd6b186b1789cbdb81d22768425ec149d395766"}],"database_specific":{"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:squareup:okhttp:*:*:*:*:*:*:*:*","cpe:2.3:a:squareup:okhttp3:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:squareup:okhttp3:3.0.0:rc1:*:*:*:*:*:*","cpe:2.3:a:squareup:okhttp3:3.0.1:*:*:*:*:*:*:*","cpe:2.3:a:squareup:okhttp3:3.1.0:*:*:*:*:*:*:*","cpe:2.3:a:squareup:okhttp3:3.1.1:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"2.7.3"},{"introduced":"3.0.0"},{"last_affected":"3.0.0"},{"introduced":"3.0.0-rc1"},{"last_affected":"3.0.0-rc1"},{"introduced":"3.0.1"},{"last_affected":"3.0.1"},{"introduced":"3.1.0"},{"last_affected":"3.1.0"},{"introduced":"3.1.1"},{"last_affected":"3.1.1"}]}}],"versions":["3.0.0","3.0.0-rc1","3.0.1","3.1.0","3.1.1","parent-3.1.1","parent-2.7.3","parent-3.1.0","parent-3.0.1","parent-3.0.0","parent-2.7.2","parent-2.7.1","parent-2.7.0","parent-2.6.0","parent-2.5.0","parent-2.4.0","parent-2.4.0-RC1","parent-2.3.0","parent-2.2.0","parent-2.1.0-RC1","parent-2.0.0-RC2","parent-2.0.0-RC1","parent-1.2.1","parent-1.2.0","parent-1.1.1","parent-1.1.0","parent-1.0.2","parent-1.0.1","parent-1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-2402.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}