Description

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Remediation

References

https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E

Related Vulnerabilities

CVE-2019-16568 Vulnerability in maven package hudson.plugins.sctmexecutor:sctmexecutor

CVE-2014-3623 Vulnerability in maven package org.apache.cxf:cxf

CVE-2020-2186 Vulnerability in maven package org.jenkins-ci.plugins:ec2

CVE-2019-10384 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2019-10453 Vulnerability in maven package org.jenkins-ci.plugins:delphix

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory