Filtered by vendor Squareup
Subscribe
Search
Total
8 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-3782 | 1 Squareup | 1 Okhttp-brotli | 2023-08-02 | N/A | 5.9 MEDIUM |
| DoS of the OkHttp client when using a BrotliInterceptor and surfing to a malicious web server, or when an attacker can perform MitM to inject a Brotli zip-bomb into an HTTP response | |||||
| CVE-2023-3635 | 1 Squareup | 1 Okio | 2023-07-26 | N/A | 7.5 HIGH |
| GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class. | |||||
| CVE-2016-2402 | 1 Squareup | 2 Okhttp, Okhttp3 | 2021-02-01 | 4.3 MEDIUM | 5.9 MEDIUM |
| OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate. | |||||
| CVE-2018-20200 | 1 Squareup | 1 Okhttp | 2020-12-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967. | |||||
| CVE-2015-8969 | 1 Squareup | 1 Git-fastclone | 2020-06-10 | 10.0 HIGH | 9.8 CRITICAL |
| git-fastclone before 1.0.5 passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to "cd " and "git clone " commands in the library. | |||||
| CVE-2015-8968 | 1 Squareup | 1 Git-fastclone | 2020-06-10 | 9.3 HIGH | 8.8 HIGH |
| git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories. | |||||
| CVE-2018-1000850 | 1 Squareup | 1 Retrofit | 2019-10-17 | 6.4 MEDIUM | 7.5 HIGH |
| Square Retrofit version versions from (including) 2.0 and 2.5.0 (excluding) contains a Directory Traversal vulnerability in RequestBuilder class, method addPathParameter that can result in By manipulating the URL an attacker could add or delete resources otherwise unavailable to her.. This attack appear to be exploitable via An attacker should have access to an encoded path parameter on POST, PUT or DELETE request.. This vulnerability appears to have been fixed in 2.5.0 and later. | |||||
| CVE-2018-1000844 | 1 Squareup | 1 Retrofit | 2019-07-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437. | |||||