CVE-2019-17554

MEDIUM EXPLOITED

Apache Olingo < 4.6.0 - XXE

Title source: rule

Description

The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.

Exploits (1)

exploitdb WORKING POC

by Compass Security · textwebappsjava

https://www.exploit-db.com/exploits/47770

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html

[Mailing List] https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

[Mailing List, Vendor Advisory] https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E

[Exploit, Third Party Advisory] https://seclists.org/bugtraq/2019/Dec/11

Scores

CVSS v3 5.5

EPSS 0.5253

EPSS Percentile 97.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2021-04-12

CWE

CWE-611

Status published

Products (3)

apache/olingo 4.0.0 - 4.6.0

org.apache.olingo/odata-client-core 4.0.0 - 4.7.0Maven

org.apache.olingo/odata-server-core 4.0.0 - 4.7.0Maven

Published Dec 04, 2019

Tracked Since Feb 18, 2026