CVE-2019-17556

CRITICAL

Apache Olingo < 4.6.0 - Insecure Deserialization

Title source: rule

Description

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

References (1)

[Mailing List, Vendor Advisory] https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E

Scores

CVSS v3 9.8

EPSS 0.0078

EPSS Percentile 73.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/olingo < 4.6.0

org.apache.olingo/odata-client-proxy < 4.7.0Maven

Timeline

Published Dec 04, 2019

Tracked Since Feb 18, 2026