Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1naDgtaGN3ai1oNTd2

Improper Restriction of XML External Entity Reference in Apache Olingo

The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.

Permalink: https://github.com/advisories/GHSA-mgh8-hcwj-h57v
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1naDgtaGN3ai1oNTd2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 4 years ago
Updated: over 1 year ago

CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Identifiers: GHSA-mgh8-hcwj-h57v, CVE-2019-17554
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-17554
• https://github.com/apache/olingo-odata4/commit/5948974ad28271818e2afe747c71cde56a7f2c63
• https://github.com/apache/olingo-odata4/commit/c3f982db3d97e395d313ae8f231202bb2139882c
• https://issues.apache.org/jira/browse/OLINGO-1409
• https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
• https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
• https://seclists.org/bugtraq/2019/Dec/11
• http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html
• https://github.com/advisories/GHSA-mgh8-hcwj-h57v

Repository: https://github.com/apache/olingo-odata4
Blast Radius: 11.5

Affected Packages