CVE-2020-1925

Name of the Vulnerable Software and Affected Versions Apache Olingo versions 4.0.0 through 4.7.0

Description The issue allows for a potential Server-Side Request Forgery (SSRF) attack. This occurs because the AsyncRequestWrapperImpl class reads a URL from the Location header and then sends a GET or DELETE request to this URL. An attacker could trick a client into connecting to a malicious server, which could then make the client call any URL, including internal resources that are not directly accessible to the attacker.

Recommendations For Apache Olingo versions 4.0.0 through 4.7.0, consider restricting access to the AsyncRequestWrapperImpl class until a patch is available, or implement validation on the URLs read from the Location header to prevent requests to internal or unauthorized resources.