Search criteria
8 vulnerabilities found for olingo by apache
CVE-2020-1925 (GCVE-0-2020-1925)
Vulnerability from nvd – Published: 2020-01-09 18:41 – Updated: 2024-08-04 06:54
VLAI?
Summary
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker.
Severity ?
No CVSS data available.
CWE
- Server Side Request Forgery
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Olingo |
Affected:
4.0.0 to 4.7.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:54:00.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/202001.mbox/%3CCAGSZ4d6HwpF2woOrZJg_d0SkHytXJaCtAWXa3ZtBn33WG0YFvw%40mail.gmail.com%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Olingo",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "4.0.0 to 4.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server Side Request Forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-09T18:41:08",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/202001.mbox/%3CCAGSZ4d6HwpF2woOrZJg_d0SkHytXJaCtAWXa3ZtBn33WG0YFvw%40mail.gmail.com%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-1925",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Olingo",
"version": {
"version_data": [
{
"version_value": "4.0.0 to 4.7.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server Side Request Forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mail-archives.apache.org/mod_mbox/olingo-user/202001.mbox/%3CCAGSZ4d6HwpF2woOrZJg_d0SkHytXJaCtAWXa3ZtBn33WG0YFvw%40mail.gmail.com%3E",
"refsource": "CONFIRM",
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/202001.mbox/%3CCAGSZ4d6HwpF2woOrZJg_d0SkHytXJaCtAWXa3ZtBn33WG0YFvw%40mail.gmail.com%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-1925",
"datePublished": "2020-01-09T18:41:08",
"dateReserved": "2019-12-02T00:00:00",
"dateUpdated": "2024-08-04T06:54:00.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17555 (GCVE-0-2019-17555)
Vulnerability from nvd – Published: 2019-12-04 17:06 – Updated: 2024-08-05 01:40
VLAI?
Summary
The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack.
Severity ?
No CVSS data available.
CWE
- DoS via Retry-After header vulnerability
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17555: DoS via Retry-After header vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d65UmudJ_MQkFXEv9YY_wwZbRA3sgtNDzMoLM51Qh%3DRCA%40mail.gmail.com%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Olingo",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "4.0.0 to 4.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DoS via Retry-After header vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-04T17:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17555: DoS via Retry-After header vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d65UmudJ_MQkFXEv9YY_wwZbRA3sgtNDzMoLM51Qh%3DRCA%40mail.gmail.com%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-17555",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Olingo",
"version": {
"version_data": [
{
"version_value": "4.0.0 to 4.6.0"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "DoS via Retry-After header vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17555: DoS via Retry-After header vulnerability",
"refsource": "MLIST",
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d65UmudJ_MQkFXEv9YY_wwZbRA3sgtNDzMoLM51Qh%3DRCA%40mail.gmail.com%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-17555",
"datePublished": "2019-12-04T17:06:18",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-05T01:40:15.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17556 (GCVE-0-2019-17556)
Vulnerability from nvd – Published: 2019-12-04 16:59 – Updated: 2024-08-05 01:40
VLAI?
Summary
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
Severity ?
No CVSS data available.
CWE
- Deserialization vulnerability
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.833Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17556: Deserialization vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Olingo",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "4.0.0 to 4.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn\u0027t check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker\u0027s code in the worse case."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Deserialization vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-04T16:59:49",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17556: Deserialization vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-17556",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Olingo",
"version": {
"version_data": [
{
"version_value": "4.0.0 to 4.6.0"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn\u0027t check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker\u0027s code in the worse case."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Deserialization vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17556: Deserialization vulnerability",
"refsource": "MLIST",
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-17556",
"datePublished": "2019-12-04T16:59:49",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-05T01:40:15.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17554 (GCVE-0-2019-17554)
Vulnerability from nvd – Published: 2019-12-04 16:54 – Updated: 2024-08-05 01:40
VLAI?
Summary
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
Severity ?
No CVSS data available.
CWE
- XML External Entity resolution attack
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17554: XML External Entity resolution attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E"
},
{
"name": "20191210 CVE-2019-17554 - Apache Olingo OData 4.0 - XML External Entity Resolution (XXE)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Dec/11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html"
},
{
"name": "[announce] 20200131 Apache Software Foundation Security Report: 2019",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Olingo",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "4.0.0 to 4.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type \"application/xml\", which trigger the deserialization of entities, can be used to trigger XXE attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML External Entity resolution attack",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-31T08:06:09",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17554: XML External Entity resolution attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E"
},
{
"name": "20191210 CVE-2019-17554 - Apache Olingo OData 4.0 - XML External Entity Resolution (XXE)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Dec/11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html"
},
{
"name": "[announce] 20200131 Apache Software Foundation Security Report: 2019",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-17554",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Olingo",
"version": {
"version_data": [
{
"version_value": "4.0.0 to 4.6.0"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type \"application/xml\", which trigger the deserialization of entities, can be used to trigger XXE attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML External Entity resolution attack"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17554: XML External Entity resolution attack",
"refsource": "MLIST",
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E"
},
{
"name": "20191210 CVE-2019-17554 - Apache Olingo OData 4.0 - XML External Entity Resolution (XXE)",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Dec/11"
},
{
"name": "http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html"
},
{
"name": "[announce] 20200131 Apache Software Foundation Security Report: 2019",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-17554",
"datePublished": "2019-12-04T16:54:22",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-05T01:40:15.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1925 (GCVE-0-2020-1925)
Vulnerability from cvelistv5 – Published: 2020-01-09 18:41 – Updated: 2024-08-04 06:54
VLAI?
Summary
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker.
Severity ?
No CVSS data available.
CWE
- Server Side Request Forgery
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Olingo |
Affected:
4.0.0 to 4.7.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:54:00.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/202001.mbox/%3CCAGSZ4d6HwpF2woOrZJg_d0SkHytXJaCtAWXa3ZtBn33WG0YFvw%40mail.gmail.com%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Olingo",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "4.0.0 to 4.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server Side Request Forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-09T18:41:08",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/202001.mbox/%3CCAGSZ4d6HwpF2woOrZJg_d0SkHytXJaCtAWXa3ZtBn33WG0YFvw%40mail.gmail.com%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-1925",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Olingo",
"version": {
"version_data": [
{
"version_value": "4.0.0 to 4.7.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server Side Request Forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mail-archives.apache.org/mod_mbox/olingo-user/202001.mbox/%3CCAGSZ4d6HwpF2woOrZJg_d0SkHytXJaCtAWXa3ZtBn33WG0YFvw%40mail.gmail.com%3E",
"refsource": "CONFIRM",
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/202001.mbox/%3CCAGSZ4d6HwpF2woOrZJg_d0SkHytXJaCtAWXa3ZtBn33WG0YFvw%40mail.gmail.com%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-1925",
"datePublished": "2020-01-09T18:41:08",
"dateReserved": "2019-12-02T00:00:00",
"dateUpdated": "2024-08-04T06:54:00.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17555 (GCVE-0-2019-17555)
Vulnerability from cvelistv5 – Published: 2019-12-04 17:06 – Updated: 2024-08-05 01:40
VLAI?
Summary
The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack.
Severity ?
No CVSS data available.
CWE
- DoS via Retry-After header vulnerability
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17555: DoS via Retry-After header vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d65UmudJ_MQkFXEv9YY_wwZbRA3sgtNDzMoLM51Qh%3DRCA%40mail.gmail.com%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Olingo",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "4.0.0 to 4.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DoS via Retry-After header vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-04T17:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17555: DoS via Retry-After header vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d65UmudJ_MQkFXEv9YY_wwZbRA3sgtNDzMoLM51Qh%3DRCA%40mail.gmail.com%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-17555",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Olingo",
"version": {
"version_data": [
{
"version_value": "4.0.0 to 4.6.0"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "DoS via Retry-After header vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17555: DoS via Retry-After header vulnerability",
"refsource": "MLIST",
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d65UmudJ_MQkFXEv9YY_wwZbRA3sgtNDzMoLM51Qh%3DRCA%40mail.gmail.com%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-17555",
"datePublished": "2019-12-04T17:06:18",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-05T01:40:15.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17556 (GCVE-0-2019-17556)
Vulnerability from cvelistv5 – Published: 2019-12-04 16:59 – Updated: 2024-08-05 01:40
VLAI?
Summary
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
Severity ?
No CVSS data available.
CWE
- Deserialization vulnerability
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.833Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17556: Deserialization vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Olingo",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "4.0.0 to 4.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn\u0027t check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker\u0027s code in the worse case."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Deserialization vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-04T16:59:49",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17556: Deserialization vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-17556",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Olingo",
"version": {
"version_data": [
{
"version_value": "4.0.0 to 4.6.0"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn\u0027t check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker\u0027s code in the worse case."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Deserialization vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17556: Deserialization vulnerability",
"refsource": "MLIST",
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-17556",
"datePublished": "2019-12-04T16:59:49",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-05T01:40:15.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17554 (GCVE-0-2019-17554)
Vulnerability from cvelistv5 – Published: 2019-12-04 16:54 – Updated: 2024-08-05 01:40
VLAI?
Summary
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
Severity ?
No CVSS data available.
CWE
- XML External Entity resolution attack
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17554: XML External Entity resolution attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E"
},
{
"name": "20191210 CVE-2019-17554 - Apache Olingo OData 4.0 - XML External Entity Resolution (XXE)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Dec/11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html"
},
{
"name": "[announce] 20200131 Apache Software Foundation Security Report: 2019",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Olingo",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "4.0.0 to 4.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type \"application/xml\", which trigger the deserialization of entities, can be used to trigger XXE attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML External Entity resolution attack",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-31T08:06:09",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17554: XML External Entity resolution attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E"
},
{
"name": "20191210 CVE-2019-17554 - Apache Olingo OData 4.0 - XML External Entity Resolution (XXE)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Dec/11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html"
},
{
"name": "[announce] 20200131 Apache Software Foundation Security Report: 2019",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-17554",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Olingo",
"version": {
"version_data": [
{
"version_value": "4.0.0 to 4.6.0"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type \"application/xml\", which trigger the deserialization of entities, can be used to trigger XXE attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML External Entity resolution attack"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17554: XML External Entity resolution attack",
"refsource": "MLIST",
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E"
},
{
"name": "20191210 CVE-2019-17554 - Apache Olingo OData 4.0 - XML External Entity Resolution (XXE)",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Dec/11"
},
{
"name": "http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html"
},
{
"name": "[announce] 20200131 Apache Software Foundation Security Report: 2019",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-17554",
"datePublished": "2019-12-04T16:54:22",
"dateReserved": "2019-10-14T00:00:00",
"dateUpdated": "2024-08-05T01:40:15.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}