Vulnerabilities (CVE)

Filtered by vendor Squareup Subscribe
Total 10 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-20200 1 Squareup 1 Okhttp 2024-05-17 4.3 MEDIUM 5.9 MEDIUM in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in
CVE-2023-3782 1 Squareup 1 Okhttp-brotli 2023-12-10 N/A 5.9 MEDIUM
DoS of the OkHttp client when using a BrotliInterceptor and surfing to a malicious web server, or when an attacker can perform MitM to inject a Brotli zip-bomb into an HTTP response
CVE-2023-0833 2 Redhat, Squareup 2 A-mq Streams, Okhttp 2023-12-10 N/A 5.5 MEDIUM
A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.
CVE-2023-3635 1 Squareup 1 Okio 2023-12-10 N/A 7.5 HIGH
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
CVE-2021-23331 1 Squareup 1 Connect Java Software Development Kit 2023-12-10 2.1 LOW 3.3 LOW
This affects all versions of package com.squareup:connect. The method prepareDownloadFilecreates creates a temporary file with the permissions bits of -rw-r--r-- on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded by downloadFileFromResponse will be visible to all other users on the local system. A workaround fix for this issue is to set the system property to a safe directory as remediation. Note: This version of the SDK is end of life and no longer maintained, please upgrade to the latest version.
CVE-2018-1000844 1 Squareup 1 Retrofit 2023-12-10 6.4 MEDIUM 9.1 CRITICAL
Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.
CVE-2018-1000850 1 Squareup 1 Retrofit 2023-12-10 6.4 MEDIUM 7.5 HIGH
Square Retrofit version versions from (including) 2.0 and 2.5.0 (excluding) contains a Directory Traversal vulnerability in RequestBuilder class, method addPathParameter that can result in By manipulating the URL an attacker could add or delete resources otherwise unavailable to her.. This attack appear to be exploitable via An attacker should have access to an encoded path parameter on POST, PUT or DELETE request.. This vulnerability appears to have been fixed in 2.5.0 and later.
CVE-2016-2402 1 Squareup 2 Okhttp, Okhttp3 2023-12-10 4.3 MEDIUM 5.9 MEDIUM
OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.
CVE-2015-8968 1 Squareup 1 Git-fastclone 2023-12-10 9.3 HIGH 8.8 HIGH
git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.
CVE-2015-8969 1 Squareup 1 Git-fastclone 2023-12-10 10.0 HIGH 9.8 CRITICAL
git-fastclone before 1.0.5 passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to "cd " and "git clone " commands in the library.