CVE-2019-17556

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-17556

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17556.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-17556

Aliases

GHSA-gj76-429m-56wc

Published

2019-12-04T17:16:43Z

Modified

2024-09-03T02:29:10.514952Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

References

https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E

Affected packages

Git / github.com/apache/olingo-odata4

Affected ranges

Type: GIT
Repo: https://github.com/apache/olingo-odata4
Events: Introduced

ca40833b20e6cae9869f556f93095c0d5fc6d059

Last affected

6e0a5cb43ae2ca8501cb15746013543c13cd9329

Affected versions

4.*

4.0.0

4.1.0

4.1.0-RC01

4.2.0

4.2.0-RC01

4.3.0

4.3.0-RC01

4.3.0-beta

4.4.0

4.5.0

4.6.0

4.6.0-RC01