Description

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Remediation

References

https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E

Related Vulnerabilities

CVE-2020-13951 Vulnerability in maven package org.apache.openmeetings:openmeetings-server

CVE-2023-33946 Vulnerability in maven package com.liferay.portal:release.portal.bom

CVE-2022-34211 Vulnerability in maven package org.jenkins-ci.plugins:vmware-vrealize-orchestrator

CVE-2020-5497 Vulnerability in maven package org.mitre:openid-connect-common

CVE-2022-45146 Vulnerability in maven package org.bouncycastle:bc-fips-debug

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory