Description

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Remediation

References

https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E

Related Vulnerabilities

CVE-2023-29526 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2017-9735 Vulnerability in maven package org.eclipse.jetty:jetty-util

CVE-2023-31206 Vulnerability in maven package org.apache.inlong:manager-test

CVE-2022-34186 Vulnerability in maven package com.moded.extendedchoiceparameter:dynamic_extended_choice_parameter

CVE-2019-10447 Vulnerability in maven package io.jenkins.plugins:sofy-ai

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory