{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T22:12:54.705","vulnerabilities":[{"cve":{"id":"CVE-2018-1000850","sourceIdentifier":"cve@mitre.org","published":"2018-12-20T15:29:02.423","lastModified":"2024-11-21T03:40:29.607","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Square Retrofit version versions from (including) 2.0 and 2.5.0 (excluding) contains a Directory Traversal vulnerability in RequestBuilder class, method addPathParameter that can result in By manipulating the URL an attacker could add or delete resources otherwise unavailable to her.. This attack appear to be exploitable via An attacker should have access to an encoded path parameter on POST, PUT or DELETE request.. This vulnerability appears to have been fixed in 2.5.0 and later."},{"lang":"es","value":"Square Retrofit, desde la versión 2.0 (incluida) y 2.5.0 (excluida), contiene una vulnerabilidad de salto de directorio en la clase RequestBuilder, método addPathParameter. Al manipular la URL, un atacante podría añadir o eliminar recursos que no estarían disponibles. Para que el ataque sea explotable, un atacante debería tener acceso a un parámetro path cifrado en las peticiones POST, PUT o DELETE. La vulnerabilidad parece haber sido solucionada en las versiones 2.5.0 y siguientes."}],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:P","baseScore":6.4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":10.0,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:squareup:retrofit:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.5.0","matchCriteriaId":"D1F642F3-1814-4D87-8C53-059F499EA23B"}]}]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2019:3892","source":"cve@mitre.org"},{"url":"https://github.com/square/retrofit/blob/master/CHANGELOG.md","source":"cve@mitre.org","tags":["Release Notes","Third Party Advisory"]},{"url":"https://github.com/square/retrofit/commit/b9a7f6ad72073ddd40254c0058710e87a073047d#diff-943ec7ed35e68201824904d1dc0ec982","source":"cve@mitre.org","tags":["Patch","Third Party Advisory"]},{"url":"https://ihacktoprotect.com/post/retrofit-path-traversal/","source":"cve@mitre.org","tags":["Exploit","Third Party Advisory"]},{"url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E","source":"cve@mitre.org"},{"url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E","source":"cve@mitre.org"},{"url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E","source":"cve@mitre.org"},{"url":"https://access.redhat.com/errata/RHSA-2019:3892","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://github.com/square/retrofit/blob/master/CHANGELOG.md","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes","Third Party Advisory"]},{"url":"https://github.com/square/retrofit/commit/b9a7f6ad72073ddd40254c0058710e87a073047d#diff-943ec7ed35e68201824904d1dc0ec982","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://ihacktoprotect.com/post/retrofit-path-traversal/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]},{"url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}