CVE-2019-17554
MEDIUM5.5EPSS 52.5%Improper Restriction of XML External Entity Reference in Apache Olingo
Published: 2/4/2020Modified: 11/8/2023
Description
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
Affected packages (2)
- Maven/org.apache.olingo:odata-client-core>= 4.0.0, < 4.7.0
- Maven/org.apache.olingo:odata-server-core>= 4.0.0, < 4.7.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-17554
- WEBhttp://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html
- WEBhttps://github.com/apache/olingo-odata4/commit/5948974ad28271818e2afe747c71cde56a7f2c63
- WEBhttps://github.com/apache/olingo-odata4/commit/c3f982db3d97e395d313ae8f231202bb2139882c
- WEBhttps://issues.apache.org/jira/browse/OLINGO-1409
- WEBhttps://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
- WEBhttps://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
- WEBhttps://seclists.org/bugtraq/2019/Dec/11