CVE-2019-17556

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:olingo:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:32

Type Values Removed Values Added
References () https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E - Mailing List, Vendor Advisory () https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E - Mailing List, Vendor Advisory

Information

Published : 2019-12-04 17:16

Updated : 2024-11-21 04:32


NVD link : CVE-2019-17556

Mitre link : CVE-2019-17556

CVE.ORG link : CVE-2019-17556


JSON object : View

Products Affected

apache

  • olingo
CWE
CWE-502

Deserialization of Untrusted Data