CVE-2018-1000850
Directory Traversal vulnerability in retrofit (Maven)
What is CVE-2018-1000850 About?
This vulnerability is a Directory Traversal flaw in Square Retrofit's RequestBuilder class. It allows attackers to manipulate URLs to access restricted directories or modify resources outside their intended scope. The vulnerability is exploitable via encoded path parameters in specific HTTP requests.
Affected Software
Technical Details
The Directory Traversal vulnerability resides within the addPathParameter method of the RequestBuilder class in Square Retrofit versions from 2.0 up to, but not including, 2.5.0. An attacker can craft a malicious URL containing encoded path traversal sequences (e.g., %2F..%2F or ..%2F). When this crafted URL is processed by addPathParameter during a POST, PUT, or DELETE request, the application fails to properly sanitize or normalize the path. This allows the attacker to navigate to arbitrary directories on the server's file system, potentially adding or deleting resources that should not be accessible.
What is the Impact of CVE-2018-1000850?
Successful exploitation may allow attackers to access, modify, or delete arbitrary files and directories on the server, potentially leading to data compromise, system disruption, or remote code execution.
What is the Exploitability of CVE-2018-1000850?
Exploitation of this Directory Traversal vulnerability is moderately complex, as it requires crafting specific URLs with encoded path parameters. There are no explicit authentication requirements, as the vulnerability resides in how URL paths are handled, which can often occur before authentication mechanisms are fully applied to specific resource access. Privilege requirements are low, as any user or even an unauthenticated actor capable of making HTTP requests can attempt to exploit this. This is a remote attack vector. The key special condition is the use of encoded path parameters within POST, PUT, or DELETE requests. The likelihood of exploitation increases if the application relies heavily on dynamic URL path construction based on user input without robust input validation and sanitation before passing the path to the addPathParameter method.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| shoucheng3 | Link | PoC for CVE-2018-1000850 |
What are the Available Fixes for CVE-2018-1000850?
About the Fix from Resolved Security
The patch adds a check that detects and blocks path parameters containing "." or ".." as standalone path segments, preventing directory traversal attacks. This fixes CVE-2018-1000850 by ensuring user-supplied values for @Path do not allow clients to modify the request path in a way that escapes the intended URL structure, thus mitigating the risk of accessing unintended server resources.
Available Upgrade Options
- com.squareup.retrofit2:retrofit
- >2.0.0, <2.5.0 → Upgrade to 2.5.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-8p8g-f9vg-r7xr
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://github.com/square/retrofit/blob/master/CHANGELOG.md
- https://access.redhat.com/errata/RHSA-2019:3892
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://ihacktoprotect.com/post/retrofit-path-traversal/
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://github.com/advisories/GHSA-8p8g-f9vg-r7xr
- https://github.com/square/retrofit/commit/b9a7f6ad72073ddd40254c0058710e87a073047d#diff-943ec7ed35e68201824904d1dc0ec982
What are Similar Vulnerabilities to CVE-2018-1000850?
Similar Vulnerabilities: CVE-2020-13936 , CVE-2021-27805 , CVE-2022-31120 , CVE-2023-28432 , CVE-2023-43187
