CVE-2021-0341 – Improper Certificate Validation

Severity: None2025-12-19

Security Advisories

Abstract

In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069

The Oxygen products incorporate OkHttp as third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback v5.2.2 and olderNoneOxygen Feedback 5.2.3 build 2025071110

Mitigation

None

Detail

CVE-2021-0341

Severity: High

CVSS Score: 7.5

CVE-2021-0341 is a flaw in OkHttp’s hostname verification logic (OkHostnameVerifier.verifyHostname) that, in certain edge cases, may accept a TLS certificate for the wrong domain. This could enable man-in-the-middle scenarios and result in remote information disclosure. The issue concerns hostname verification behavior and does not require user interaction to trigger.

After review, our conclusion is that our products are not affected in practice. We identified OkHttp 3.14.9 is only used with a single, fixed HTTPS endpoint, with default TLS and hostname verification left intact. We found no code paths that override verification or expose user-controlled hostnames.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Vibe Authoring with Oxygen AI Positron 8.0
January 21, 2026

Products

Features

Shop

Resources

Support

Company

© 2002-2025 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor