{"id":"UBUNTU-CVE-2018-20200","details":"** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967.","modified":"2019-04-18T19:29:00Z","published":"2019-04-18T19:29:00Z","withdrawn":"2025-06-23T15:53:16Z","references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-20200"},{"type":"REPORT","url":"https://github.com/square/okhttp/issues/4967"},{"type":"REPORT","url":"https://cxsecurity.com/issue/WLB-2018120252"},{"type":"REPORT","url":"https://github.com/square/okhttp/commits/master"},{"type":"REPORT","url":"https://github.com/square/okhttp/releases"},{"type":"REPORT","url":"https://square.github.io/okhttp/3.x/okhttp/"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2018-20200"}],"affected":[{"package":{"name":"libokhttp-java","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/libokhttp-java"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.9.0-1","3.9.1-1","3.10.0-1"],"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-20200.json"}},{"package":{"name":"libokhttp-java","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/libokhttp-java"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.13.1-1"],"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-20200.json"}},{"package":{"name":"libokhttp-java","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/libokhttp-java"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.13.1-2","3.13.1-3"],"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-20200.json"}},{"package":{"name":"libokhttp-java","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/libokhttp-java"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.13.1-3","3.13.1-4"],"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-20200.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}