Description: daneren2005 DSub for Subsonic (Android client) version 5.4.1 contains a CWE-295: Improper Certificate Validation vulnerability in HTTPS Client that can result in any non-CA signed server certificate, including self signed and expired, being accepted by the client. This attack appear to be exploitable when the victim connects to a server that's MITM/Proxied by an attacker. Affected Product: DSub for Subsonic (Android client) Vendor of Product: daneren2005 Version Affected: 5.4.2 (latest as of Sept 4, 2018) and below CVE: CVE-2018-1000664 Status: Still unpatched as of time of writing Vulnerability Type: CWE-295: Improper Certificate Validation Attack Type: Remote Attack Vectors: To exploit the vulnerability, a MITM attacker can provide any untrusted or expired certificate to the client. Discoverer: Andrew Klaus (andrewklaus@gmail.com) Mitigation: The only mitigation is to not run over an untrusted network or use an app that does verify the certificate as valid. Another client called Ultrasonic, available on the Play Store and is Free and Open Source, successfully verified the server TLS certificate. Other notes: There has been an open ticket on GitHub since Nov 2012 that confirms self-signed certificates are allowed by the application: https://github.com/daneren2005/Subsonic/issues/60 Timeline: Aug 20, 2018: Contacted developer via Twitter and GitHub with no reply Sept 4, 2018: Assigned CVE Sept 4, 2018: Disclosing to Full Disclosure