CVE-2019-17555

7.5HIGH

Key Information:

Vendor: Apache
Status: Olingo
Vendor: CVE Published:; 4 December 2019

Summary

The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack.

Affected Version(s)

Olingo 4.0.0 to 4.6.0

References

https://mail-archives.apache.org/mod_mbox/olingo-user/201...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 4, 2019
Vulnerability Reserved
Oct 14, 2019