XML External Entity Vulnerability in Apache Olingo by Apache Software Foundation
CVE-2019-17554

5.5MEDIUM

Key Information:

Vendor
Apache
Status
Olingo
Vendor
CVE Published:
4 December 2019

Summary

The vulnerability in Apache Olingo affects versions 4.0.0 to 4.6.0, where the XML content type entity deserializer fails to restrict external entity resolution. This misconfiguration allows attackers to exploit XXE vulnerabilities by sending requests with content type 'application/xml', which can lead to data exposure and potentially further attacks. It is essential for users of these versions to apply the necessary updates and mitigations to safeguard their applications.

Affected Version(s)

Olingo 4.0.0 to 4.6.0

References

https://mail-archives.apache.org/mod_mbox/olingo-user/201...
mailing-listx_refsource_MLIST
https://seclists.org/bugtraq/2019/Dec/11
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/155619/Apache-Olingo...
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.