CVE-2019-17554

MEDIUM EXPLOITED

Apache Olingo 4.0.0-4.6.0 - XML External Entity Injection via XML Content Type Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-17554 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Compass Security.

AI-analyzed exploit summary This exploit demonstrates an XML External Entity (XXE) attack against Apache Olingo OData 4.0, allowing an attacker to read arbitrary files from the server by sending a crafted XML payload.

Description

The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.

Exploits (1)

exploitdb WORKING POC
by Compass Security · textwebappsjava
https://www.exploit-db.com/exploits/47770

This exploit demonstrates an XML External Entity (XXE) attack against Apache Olingo OData 4.0, allowing an attacker to read arbitrary files from the server by sending a crafted XML payload.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Apache Olingo OData 4.x.x to 4.6.x
No auth needed
Prerequisites: Network access to the target server · Apache Olingo OData 4.x.x to 4.6.x running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 5.5
EPSS 0.5253
EPSS Percentile 98.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2021-04-12
CWE
CWE-611
Status published
Products (3)
apache/olingo 4.0.0 - 4.6.0
org.apache.olingo/odata-client-core 4.0.0 - 4.7.0Maven
org.apache.olingo/odata-server-core 4.0.0 - 4.7.0Maven
Published Dec 04, 2019
Tracked Since Feb 18, 2026