Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-1000844

Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.

Published

2018-12-20T15:29:02.127

Last Modified

2024-11-21T03:40:28.860

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 9.1 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-611

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	squareup	retrofit	< 2.5.0	Yes

References

https://github.com/square/retrofit/pull/2735 Third Party Advisory ([email protected])
https://github.com/square/retrofit/pull/2735 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)