GHSA-gj76-429m-56wc

Source

https://github.com/advisories/GHSA-gj76-429m-56wc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-gj76-429m-56wc/GHSA-gj76-429m-56wc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gj76-429m-56wc

Aliases

CVE-2019-17556

Published

2020-02-04T22:38:22Z

Modified

2023-11-08T04:01:24.128965Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Deserialization of Untrusted Data in Apache Olingo

Details

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-02-04T22:35:09Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502"
    ]
}

References

Affected packages

Maven / org.apache.olingo:odata-client-proxy

Package

Name: org.apache.olingo:odata-client-proxy; View open source insights on deps.dev
Purl: pkg:maven/org.apache.olingo/odata-client-proxy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.7.0

Affected versions

4.*

4.0.0

4.1.0

4.2.0

4.3.0-beta

4.3.0

4.4.0

4.5.0

4.6.0

Database specific

{
    "last_known_affected_version_range": "<= 4.6.0"
}