Description

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Remediation

References

https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E

Related Vulnerabilities

CVE-2021-37404 Vulnerability in maven package org.apache.hadoop:hadoop-hdfs-native-client

CVE-2020-2228 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-oauth

CVE-2023-29471 Vulnerability in maven package com.typesafe.akka:akka-stream-kafka_3

CVE-2019-12418 Vulnerability in maven package org.apache.tomcat:tomcat-catalina-jmx-remote

CVE-2023-37965 Vulnerability in maven package org.jenkins-ci.plugins:elasticbox

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory