Directory Traversal vulnerability in Square Retrofit
High severity
GitHub Reviewed
Published
Dec 21, 2018
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Package
Affected versions
>= 2.0.0, < 2.5.0
Patched versions
2.5.0
Description
Published to the GitHub Advisory Database
Dec 21, 2018
Reviewed
Jun 16, 2020
Last updated
Jan 9, 2023
Square Retrofit versions from (including) 2.0 to 2.5.0 (excluding) contain a Directory Traversal vulnerability in RequestBuilder class, method addPathParameter. By manipulating the URL an attacker could add or delete resources otherwise unavailable to her. This attack appears to be exploitable via an encoded path parameter on POST, PUT or DELETE request. This vulnerability appears to have been fixed in 2.5.0 and later.
References