Description

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Remediation

References

https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E

Related Vulnerabilities

CVE-2023-50775 Vulnerability in maven package org.jenkins-ci.plugins:ec2-deployment-dashboard

CVE-2019-3795 Vulnerability in maven package org.springframework.security:spring-security-core

CVE-2022-43427 Vulnerability in maven package com.compuware.jenkins:compuware-topaz-for-total-test

CVE-2022-36913 Vulnerability in maven package org.jenkins-ci.plugins:openstack-heat

CVE-2023-29216 Vulnerability in maven package org.apache.linkis:linkis-engineplugin-jdbc

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory