Denial of Service Vulnerability in Apache Olingo by Malicious Retry-After Header
CVE-2019-17555

7.5HIGH

Key Information:

Vendor: Apache
Status: Olingo
Vendor: CVE Published:; 4 December 2019

Summary

A vulnerability exists in the AsyncResponseWrapperImpl class of Apache Olingo versions 4.0.0 to 4.6.0, where the application processes the Retry-After header improperly. If a malicious server sends a substantially large value in this header, it can result in the Thread.sleep() method being invoked with an excessively long duration, potentially leading to a Denial of Service condition. This vulnerability underscores the importance of validating header values to prevent misuse and maintain system availability.

Affected Version(s)

Olingo 4.0.0 to 4.6.0

References

https://mail-archives.apache.org/mod_mbox/olingo-user/201...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 4, 2019
Vulnerability Reserved
Oct 14, 2019