Squareup
Products by Squareup Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 0 vulnerabilities in Squareup . Last year Squareup had 3 security vulnerabilities published. Right now, Squareup is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 3 | 6.30 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 3.30 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 5.90 |
| 2018 | 2 | 8.30 |
It may take a day or so for new Squareup vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Squareup Security Vulnerabilities
A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw
CVE-2023-0833
5.5 - Medium
- September 27, 2023
A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.
Generation of Error Message Containing Sensitive Information
DoS of the OkHttp client when using a BrotliInterceptor and surfing to a malicious web server, or when an attacker
CVE-2023-3782
5.9 - Medium
- July 19, 2023
DoS of the OkHttp client when using a BrotliInterceptor and surfing to a malicious web server, or when an attacker can perform MitM to inject a Brotli zip-bomb into an HTTP response
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer
CVE-2023-3635
7.5 - High
- July 12, 2023
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
Incorrect Conversion between Numeric Types
This affects all versions of package com.squareup:connect
CVE-2021-23331
3.3 - Low
- February 03, 2021
This affects all versions of package com.squareup:connect. The method prepareDownloadFilecreates creates a temporary file with the permissions bits of -rw-r--r-- on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded by downloadFileFromResponse will be visible to all other users on the local system. A workaround fix for this issue is to set the system property java.io.tmpdir to a safe directory as remediation. Note: This version of the SDK is end of life and no longer maintained, please upgrade to the latest version.
CertificatePinner.java in OkHttp 3.x through 3.12.0
CVE-2018-20200
5.9 - Medium
- April 18, 2019
CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967
Improper Certificate Validation
Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB
CVE-2018-1000844
9.1 - Critical
- December 20, 2018
Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.
XXE
Square Retrofit version versions from (including) 2.0 and 2.5.0 (excluding) contains a Directory Traversal vulnerability in RequestBuilder class, method addPathParameter
CVE-2018-1000850
7.5 - High
- December 20, 2018
Square Retrofit version versions from (including) 2.0 and 2.5.0 (excluding) contains a Directory Traversal vulnerability in RequestBuilder class, method addPathParameter that can result in By manipulating the URL an attacker could add or delete resources otherwise unavailable to her.. This attack appear to be exploitable via An attacker should have access to an encoded path parameter on POST, PUT or DELETE request.. This vulnerability appears to have been fixed in 2.5.0 and later.
Directory traversal
OkHttp before 2.7.4 and 3.x before 3.1.2
CVE-2016-2402
5.9 - Medium
- January 30, 2017
OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.
Improper Certificate Validation
git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules
CVE-2015-8968
8.8 - High
- November 03, 2016
git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.
Command Injection
git-fastclone before 1.0.5 passes user modifiable strings directly to a shell command
CVE-2015-8969
9.8 - Critical
- November 03, 2016
git-fastclone before 1.0.5 passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to "cd " and "git clone " commands in the library.
Command Injection