CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. Upstream issue: https://github.com/square/okhttp/issues/4967 References: https://cxsecurity.com/issue/WLB-2018120252 https://github.com/square/okhttp/commits/master https://github.com/square/okhttp/releases https://square.github.io/okhttp/3.x/okhttp/
Created okhttp tracking bugs for this issue: Affects: fedora-all [bug 1709380]
Statement: OkHttp is used by OpenShift Container Platform in the Aggregated Logging stack. This issue is not considered a vulnerability for OpenShift Container Platform as the prerequisite for exploitation is the ability to inject code into the application.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20200