PT-2019-15204 · Apache · Apache Olingo

Archibald Haddock

Published

2019-12-04

Updated

2020-02-04

CVE-2019-17554

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Olingo versions 4.0.0 through 4.6.0

Description The issue concerns the XML content type entity deserializer, which is not properly configured to prevent the resolution of external entities. This can be exploited through requests with the "application/xml" content type, potentially leading to XXE (XML External Entity) attacks.

Recommendations For Apache Olingo versions 4.0.0 through 4.6.0, consider disabling the XML content type entity deserializer until a patch is available to prevent the resolution of external entities and minimize the risk of XXE attacks.

Exploit

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

CVE-2019-17554

GHSA-MGH8-HCWJ-H57V

Affected Products

Apache Olingo

PT-2019-15204 · Apache · Apache Olingo

CVE-2019-17554

Weakness Enumeration

Related Identifiers

Affected Products

References · 13