Apache Olingo 4.0.0-4.6.0 - XML External Entity Injection via XML Content Type Deserialization
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.