Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Filtered by product Olingo
Total 4 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-17556 1 Apache 1 Olingo 2024-02-04 10.0 HIGH 9.8 CRITICAL
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
CVE-2019-17554 1 Apache 1 Olingo 2024-02-04 4.3 MEDIUM 5.5 MEDIUM
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
CVE-2019-17555 1 Apache 1 Olingo 2024-02-04 5.0 MEDIUM 7.5 HIGH
The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack.
CVE-2020-1925 1 Apache 1 Olingo 2024-02-04 5.0 MEDIUM 7.5 HIGH
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker.