CVE-2019-17556
CRITICALApache Olingo 4.0.0-4.6.0 - Deserialization of Untrusted Data in AbstractService
Title source: llmDescription
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
References (1)
Core 1
Core References
Mailing List, Vendor Advisory mailing-list
x_refsource_mlist
https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E
Scores
CVSS v3
9.8
EPSS
0.0078
EPSS Percentile
73.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (2)
apache/olingo
4.0.0 - 4.6.0
org.apache.olingo/odata-client-proxy
4.0.0 - 4.7.0Maven
Published
Dec 04, 2019
Tracked Since
Feb 18, 2026