Improper Restriction of XML External Entity Reference in Apache Olingo · CVE-2019-17554 · GitHub Advisory Database · GitHub

Improper Restriction of XML External Entity Reference in Apache Olingo

Moderate severity GitHub Reviewed Published Feb 4, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

org.apache.olingo:odata-client-core (Maven)

Affected versions

>= 4.0.0, <= 4.6.0

Patched versions

4.7.0

org.apache.olingo:odata-server-core (Maven)

>= 4.0.0, <= 4.6.0

4.7.0

Description

The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.

References

Reviewed Feb 4, 2020

Published to the GitHub Advisory Database Feb 4, 2020

Last updated Jan 9, 2023

Severity

Moderate

5.5

/ 10

CVSS base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N