CVE-2019-17556 — Deserialization of Untrusted Data in Apache Olingo

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.8%

top 26.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Olingo

Timeline

PublishedDec 4

Latest updateFeb 4

Description

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/olingo4.0.0 — 4.6.0

▶CVEListV5apache/olingo4.0.0 to 4.6.0

🔴Vulnerability Details

GHSA

Deserialization of Untrusted Data in Apache Olingo↗2020-02-04

▶

OSV

Deserialization of Untrusted Data in Apache Olingo↗2020-02-04

▶

CVEList

CVE-2019-17556: Apache Olingo versions 4↗2019-12-04

▶