Description
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
Remediation
References
https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E
Related Vulnerabilities
CVE-2023-50777 Vulnerability in maven package com.cloudtp.jenkins:paaslane-estimate
CVE-2024-4367 Vulnerability in maven package org.webjars.npm:pdfjs-dist
CVE-2020-24616 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2023-44483 Vulnerability in maven package org.apache.santuario:xmlsec
CVE-2021-37533 Vulnerability in maven package commons-net:commons-net