CVE-2018-1000844 — XML External Entity (XXE) vulnerability in Square Retrofit

Description

Square Open Source Retrofit versions prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contain a XML External Entity (XXE) vulnerability in JAXB. An attacker could use this to remotely read files from the file system or to perform SSRF. This vulnerability appears to have been fixed in commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.

How to fix CVE-2018-1000844

To remediate CVE-2018-1000844, upgrade the affected package to a fixed version below.

—upgrade to 2.5.0 or later

Is CVE-2018-1000844 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.0.0, < 2.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (4)

ADVISORYgithub.com/advisories/GHSA-j379-9jr9-w5cq
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-1000844
PATCHgithub.com/square/retrofit
WEBgithub.com/square/retrofit/pull/2735