CVE-2019-17554 – org.apache.olingo:odata-server-core

Package

Manager: maven
Name: org.apache.olingo:odata-server-core
Vulnerable Version: >=4.0.0 <4.7.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.52533 pctl0.97854

Details

Improper Restriction of XML External Entity Reference in Apache Olingo The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.

Metadata

Created: 2020-02-04T22:37:43Z
Modified: 2021-08-19T16:53:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-mgh8-hcwj-h57v/GHSA-mgh8-hcwj-h57v.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-mgh8-hcwj-h57v
Finding: F083
Auto approve: 1