CVE-2019-17556

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-17556

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17556.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-17556

Aliases

GHSA-gj76-429m-56wc

Published

2019-12-04T17:16:43.930Z

Modified

2026-04-10T04:13:12.545867Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

References

https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E

Affected packages

Git / github.com/apache/olingo-odata4

Affected ranges

Type

GIT

Repo

https://github.com/apache/olingo-odata4

Events

Introduced

ca40833b20e6cae9869f556f93095c0d5fc6d059

Last affected

6e0a5cb43ae2ca8501cb15746013543c13cd9329

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "last_affected": "4.6.0"
        }
    ]
}

Affected versions

4.*

4.0.0

4.2.0

4.2.0-RC01

4.3.0

4.3.0-RC01

4.3.0-beta

4.4.0

4.5.0

4.6.0

4.6.0-RC01

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17556.json"