Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
References
Link | Resource |
---|---|
https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E | Mailing List Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2019-12-04T16:59:49
Updated: 2019-12-04T16:59:49
Reserved: 2019-10-14T00:00:00
Link: CVE-2019-17556
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-12-04T17:16:43.930
Modified: 2019-12-13T22:19:08.757
Link: CVE-2019-17556
JSON object: View
Redhat Information
No data.
CWE