Description

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Remediation

References

https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E

Related Vulnerabilities

CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-cdc-mysql-processors

CVE-2021-41616 Vulnerability in maven package org.apache.ddlutils:ddlutils

CVE-2023-31103 Vulnerability in maven package org.apache.inlong:manager-service

CVE-2023-39345 Vulnerability in npm package @strapi/strapi

CVE-2021-23358 Vulnerability in maven package org.webjars.bower:underscore

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory