Vulnerability Details CVE-2019-16263
The Twitter Kit framework through 3.4.2 for iOS does not properly validate the api.twitter.com SSL certificate. Although the certificate chain must contain one of a set of pinned certificates, there are certain implementation errors such as a lack of hostname verification. NOTE: this is an end-of-life product.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 42.8%
CVSS Severity
CVSS v3 Score 7.4
CVSS v2 Score 5.8
References
- https://blog.appicaptor.com/2019/10/04/vulnerable-library-warning-twitterkit-for-ios/
- https://github.com/twitter-archive/twitter-kit-ios/blob/ac42e1351a66afa5ff7718d04d64a905dafe1f41/TwitterCore/TwitterCore/Networking/Security/TWTRServerTrustEvaluator.m#L75-L81
- https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_TwitterKit_for_iOS_CVE-2019-16263.pdf
- https://blog.appicaptor.com/2019/10/04/vulnerable-library-warning-twitterkit-for-ios/
- https://github.com/twitter-archive/twitter-kit-ios/blob/ac42e1351a66afa5ff7718d04d64a905dafe1f41/TwitterCore/TwitterCore/Networking/Security/TWTRServerTrustEvaluator.m#L75-L81
- https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_TwitterKit_for_iOS_CVE-2019-16263.pdf
Products affected by CVE-2019-16263
-
cpe:2.3:a:twitter:twitter_kit:3.0
-
cpe:2.3:a:twitter:twitter_kit:3.0.1
-
cpe:2.3:a:twitter:twitter_kit:3.0.2
-
cpe:2.3:a:twitter:twitter_kit:3.0.3
-
cpe:2.3:a:twitter:twitter_kit:3.0.4
-
cpe:2.3:a:twitter:twitter_kit:3.1.0
-
cpe:2.3:a:twitter:twitter_kit:3.1.1
-
cpe:2.3:a:twitter:twitter_kit:3.2.0
-
cpe:2.3:a:twitter:twitter_kit:3.2.1
-
cpe:2.3:a:twitter:twitter_kit:3.4.0
-
cpe:2.3:a:twitter:twitter_kit:3.4.2