GHSA-8p8g-f9vg-r7xr

Source

https://github.com/advisories/GHSA-8p8g-f9vg-r7xr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-8p8g-f9vg-r7xr/GHSA-8p8g-f9vg-r7xr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8p8g-f9vg-r7xr

Aliases

CVE-2018-1000850

Published

2018-12-21T17:48:19Z

Modified

2024-02-16T08:01:53.624924Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Directory Traversal vulnerability in Square Retrofit

Details

Square Retrofit versions from (including) 2.0 to 2.5.0 (excluding) contain a Directory Traversal vulnerability in RequestBuilder class, method addPathParameter. By manipulating the URL an attacker could add or delete resources otherwise unavailable to her. This attack appears to be exploitable via an encoded path parameter on POST, PUT or DELETE request. This vulnerability appears to have been fixed in 2.5.0 and later.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:26:16Z"
}

References

Affected packages

Maven / com.squareup.retrofit2:retrofit

Package

Name: com.squareup.retrofit2:retrofit; View open source insights on deps.dev
Purl: pkg:maven/com.squareup.retrofit2/retrofit

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.5.0

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.1.0

2.2.0

2.3.0

2.4.0