Squareup Okhttp

A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw

CVE-2023-0833 5.5 - Medium - September 27, 2023

A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.

Generation of Error Message Containing Sensitive Information

DoS of the OkHttp client when using a BrotliInterceptor and surfing to a malicious web server, or when an attacker

CVE-2023-3782 5.9 - Medium - July 19, 2023

DoS of the OkHttp client when using a BrotliInterceptor and surfing to a malicious web server, or when an attacker can perform MitM to inject a Brotli zip-bomb into an HTTP response

CertificatePinner.java in OkHttp 3.x through 3.12.0

CVE-2018-20200 5.9 - Medium - April 18, 2019

CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967

Improper Certificate Validation

OkHttp before 2.7.4 and 3.x before 3.1.2

CVE-2016-2402 5.9 - Medium - January 30, 2017

OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.

Improper Certificate Validation