Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdqNzYtNDI5bS01Nndj
Deserialization of Untrusted Data in Apache Olingo
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
Permalink: https://github.com/advisories/GHSA-gj76-429m-56wcJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdqNzYtNDI5bS01Nndj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 4 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-gj76-429m-56wc, CVE-2019-17556
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-17556
- https://github.com/apache/olingo-odata4/pull/60/files
- https://issues.apache.org/jira/browse/OLINGO-1410
- https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E
- https://github.com/advisories/GHSA-gj76-429m-56wc
Blast Radius: 8.9
Affected Packages
maven:org.apache.olingo:odata-client-proxy
Dependent packages: 3Dependent repositories: 8
Downloads:
Affected Version Ranges: >= 4.0.0, <= 4.6.0
Fixed in: 4.7.0
All affected versions: 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0
All unaffected versions: 4.7.0, 4.7.1, 4.8.0, 4.9.0, 4.10.0, 5.0.0