CVE-2019-17556 — Deserialization of Untrusted Data in Apache Olingo

Description

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

How to fix CVE-2019-17556

To remediate CVE-2019-17556, upgrade the affected package to a fixed version below.

—upgrade to 4.7.0 or later

Is CVE-2019-17556 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.0.0, < 4.7.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-17556
WEBgithub.com/apache/olingo-odata4/pull/60/files
WEBissues.apache.org/jira/browse/OLINGO-1410
WEBmail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E