cbcvebase.
CVE-2019-17554
published 2019-12-04

CVE-2019-17554: The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with…

PriorityP275medium5.5CVSS 3.1
AVLACLPRNUIRSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.25%
95.7th percentile
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.

Affected

2 ranges
VendorProductVersion rangeFixed in
apacheolingo
apacheolingo4.0.0 – 4.6.0

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /odata-server-sample/cars.svc/Cars HTTP/1.1
pathorg.apache.olingo.server.core.deserializer.xml.ODataXmlDeserializer.java
  • Detect XXE exploitation attempts against Apache Olingo by inspecting HTTP POST requests with Content-Type 'application/xml' targeting OData service endpoints (e.g. /cars.svc/). Payloads will contain a DOCTYPE declaration with an ENTITY referencing an external resource (e.g. file:// or http://).
  • Flag HTTP POST requests to Apache Olingo OData endpoints where the body contains both a DOCTYPE declaration and an external ENTITY reference — a hallmark of XXE payload delivery.
  • Monitor HTTP 201 Created responses from OData endpoints that contain file-system content (e.g. /etc/passwd lines) embedded in XML fields, indicating successful XXE data exfiltration.
  • Inspect the vulnerable class XMLInputFactory instantiation in ODataXmlDeserializer.java; absence of SUPPORT_DTD=false and isSupportingExternalEntities=false properties confirms a vulnerable configuration.
  • ·The fix requires explicitly setting both XMLInputFactory properties on the shared static FACTORY instance in ODataXmlDeserializer.java: SUPPORT_DTD=false and javax.xml.stream.isSupportingExternalEntities=false.

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.