Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1naDgtaGN3ai1oNTd2
Improper Restriction of XML External Entity Reference in Apache Olingo
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
Permalink: https://github.com/advisories/GHSA-mgh8-hcwj-h57vJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1naDgtaGN3ai1oNTd2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 4 years ago
Updated: over 1 year ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-mgh8-hcwj-h57v, CVE-2019-17554
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-17554
- https://github.com/apache/olingo-odata4/commit/5948974ad28271818e2afe747c71cde56a7f2c63
- https://github.com/apache/olingo-odata4/commit/c3f982db3d97e395d313ae8f231202bb2139882c
- https://issues.apache.org/jira/browse/OLINGO-1409
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
- https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
- https://seclists.org/bugtraq/2019/Dec/11
- http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html
- https://github.com/advisories/GHSA-mgh8-hcwj-h57v
Blast Radius: 11.5
Affected Packages
maven:org.apache.olingo:odata-server-core
Dependent packages: 31Dependent repositories: 125
Downloads:
Affected Version Ranges: >= 4.0.0, <= 4.6.0
Fixed in: 4.7.0
All affected versions: 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0
All unaffected versions: 4.7.0, 4.7.1, 4.8.0, 4.9.0, 4.10.0, 5.0.0
maven:org.apache.olingo:odata-client-core
Dependent packages: 21Dependent repositories: 78
Downloads:
Affected Version Ranges: >= 4.0.0, <= 4.6.0
Fixed in: 4.7.0
All affected versions: 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0
All unaffected versions: 4.7.0, 4.7.1, 4.8.0, 4.9.0, 4.10.0, 5.0.0