CVE-2018-1000850 – com.squareup.retrofit2:retrofit

Package

Manager: maven
Name: com.squareup.retrofit2:retrofit
Vulnerable Version: >=2.0.0 <2.5.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0105 pctl0.76714

Details

Directory Traversal vulnerability in Square Retrofit Square Retrofit versions from (including) 2.0 to 2.5.0 (excluding) contain a Directory Traversal vulnerability in RequestBuilder class, method addPathParameter. By manipulating the URL an attacker could add or delete resources otherwise unavailable to her. This attack appears to be exploitable via an encoded path parameter on POST, PUT or DELETE request. This vulnerability appears to have been fixed in 2.5.0 and later.

Metadata

Created: 2018-12-21T17:48:19Z
Modified: 2022-09-14T22:25:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-8p8g-f9vg-r7xr/GHSA-8p8g-f9vg-r7xr.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-8p8g-f9vg-r7xr
Finding: F063
Auto approve: 1