Squareup
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Squareup product.
RSS Feeds for Squareup security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Squareup products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Squareup Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Squareup. Squareup did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 3 | 6.30 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 3.30 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 0.00 |
| 2018 | 2 | 8.30 |
It may take a day or so for new Squareup vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Squareup Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2023-0833 | Sep 27, 2023 |
Red Hat AMQ-Streams OKHttp Info Disclosure via Illegal HeaderA flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions. |
Okhttp
|
| CVE-2023-3782 | Jul 19, 2023 |
DoS via BrotliInterceptor Brotli zip-bomb in OkHttpDoS of the OkHttp client when using a BrotliInterceptor and surfing to a malicious web server, or when an attacker can perform MitM to inject a Brotli zip-bomb into an HTTP response |
Okhttp
Okhttp Brotli
|
| CVE-2023-3635 | Jul 12, 2023 |
Okio GzipSource DoS from Malformed GZIP BufferGzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class. |
Okio
|
| CVE-2021-23331 | Feb 03, 2021 |
This affects all versions of package com.squareup:connectThis affects all versions of package com.squareup:connect. The method prepareDownloadFilecreates creates a temporary file with the permissions bits of -rw-r--r-- on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded by downloadFileFromResponse will be visible to all other users on the local system. A workaround fix for this issue is to set the system property java.io.tmpdir to a safe directory as remediation. Note: This version of the SDK is end of life and no longer maintained, please upgrade to the latest version. |
Connect Java Software Development Kit
|
| CVE-2018-20200 | Apr 18, 2019 |
CertificatePinner.java in OkHttp 3.x through 3.12.0CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967 |
Okhttp
|
| CVE-2018-1000844 | Dec 20, 2018 |
Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXBSquare Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437. |
Retrofit
|
| CVE-2018-1000850 | Dec 20, 2018 |
Square Retrofit version versions from (including) 2.0 and 2.5.0 (excluding) contains a Directory Traversal vulnerability in RequestBuilder class, method addPathParameterSquare Retrofit version versions from (including) 2.0 and 2.5.0 (excluding) contains a Directory Traversal vulnerability in RequestBuilder class, method addPathParameter that can result in By manipulating the URL an attacker could add or delete resources otherwise unavailable to her.. This attack appear to be exploitable via An attacker should have access to an encoded path parameter on POST, PUT or DELETE request.. This vulnerability appears to have been fixed in 2.5.0 and later. |
Retrofit
|
| CVE-2016-2402 | Jan 30, 2017 |
OkHttp before 2.7.4 and 3.x before 3.1.2OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate. |
Okhttp3
Okhttp
|
| CVE-2015-8968 | Nov 03, 2016 |
git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodulesgit-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories. |
Git Fastclone
|
| CVE-2015-8969 | Nov 03, 2016 |
git-fastclone before 1.0.5 passes user modifiable strings directly to a shell commandgit-fastclone before 1.0.5 passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to "cd " and "git clone " commands in the library. |
Git Fastclone
|