Description
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
Remediation
References
https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E
Related Vulnerabilities
CVE-2020-13951 Vulnerability in maven package org.apache.openmeetings:openmeetings-server
CVE-2023-33946 Vulnerability in maven package com.liferay.portal:release.portal.bom
CVE-2022-34211 Vulnerability in maven package org.jenkins-ci.plugins:vmware-vrealize-orchestrator
CVE-2020-5497 Vulnerability in maven package org.mitre:openid-connect-common
CVE-2022-45146 Vulnerability in maven package org.bouncycastle:bc-fips-debug