Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-gj76-429m-56wc

Опубликовано: 04 фев. 2020
Источник: github
Github: Прошло ревью
CVSS3: 9.8

Описание

Deserialization of Untrusted Data in Apache Olingo

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Ссылки

Пакеты

Наименование

org.apache.olingo:odata-client-proxy

maven
Затронутые версииВерсия исправления

>= 4.0.0, <= 4.6.0

4.7.0

EPSS

Процентиль: 73%
0.00782
Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2019-17556

Дефекты

CWE-502

Связанные уязвимости

nvd логотип

CVE-2019-17556

CVSS3: 9.8
nvd
около 6 лет назад

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

EPSS

Процентиль: 73%
0.00782
Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2019-17556

Дефекты

CWE-502