Description: The Subsonic Music Streamer application 4.4 for Android has Improper Certificate Validation of the Subsonic server certificate, which might allow man-in-the-middle attackers to obtain interaction data. Affected Product: Subsonic Music Streamer (Android client) Vendor of Product: Sindre Mehus Version(s) Affected: 4.4 and below (latest as of Sept 4, 2018) CVE: CVE-2018-15898 Status: Still unpatched as of time of writing Vulnerability Type: CWE-295: Improper Certificate Validation Attack Type: Remote Attack Vectors: To exploit the vulnerability, a MITM attacker can provide any untrusted or expired certificate to the client. Discoverer: Andrew Klaus (andrewklaus@gmail.com) Mitigation: The only mitigation is to not run over an untrusted network or use an app that does verify the certificate as valid. Another client called Ultrasonic, available on the Play Store and is Free and Open Source, successfully verified the server TLS certificate. Other notes: App hasn't been updated since 2014, so it's unlikely to be updated any time soon, if at all. Timeline: Aug 20, 2018: Contacted developer via official email address mail@subsonic.org with no reply Aug 27, 2018: Assigned CVE Sept 4, 2018: Disclosing to Full Disclosure