Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
References
Link | Resource |
---|---|
https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E | Mailing List Vendor Advisory |
Configurations
History
No history.
Information
Published : 2019-12-04 17:16
Updated : 2024-02-04 20:39
NVD link : CVE-2019-17556
Mitre link : CVE-2019-17556
CVE.ORG link : CVE-2019-17556
JSON object : View
Products Affected
apache
- olingo
CWE
CWE-502
Deserialization of Untrusted Data