PT-2018-9574 · Square · Retrofit
Published
2018-12-20
·
Updated
2019-10-17
·
CVE-2018-1000850
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Square Retrofit versions 2.0 through 2.4.x
Description
The issue allows an attacker to manipulate the URL, potentially adding or deleting resources that would otherwise be unavailable. This can be exploited via an encoded path parameter on POST, PUT, or DELETE requests, specifically targeting the
addPathParameter method in the RequestBuilder class.Recommendations
For versions 2.0 through 2.4.x, update to version 2.5.0 or later to resolve the issue.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Retrofit