Описание
Improper Restriction of XML External Entity Reference in Apache Olingo
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-17554
- https://github.com/apache/olingo-odata4/commit/5948974ad28271818e2afe747c71cde56a7f2c63
- https://github.com/apache/olingo-odata4/commit/c3f982db3d97e395d313ae8f231202bb2139882c
- https://issues.apache.org/jira/browse/OLINGO-1409
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
- https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
- https://seclists.org/bugtraq/2019/Dec/11
- http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html
Пакеты
Наименование
org.apache.olingo:odata-client-core
maven
Затронутые версииВерсия исправления
>= 4.0.0, <= 4.6.0
4.7.0
Наименование
org.apache.olingo:odata-server-core
maven
Затронутые версииВерсия исправления
>= 4.0.0, <= 4.6.0
4.7.0
Связанные уязвимости
CVSS3: 5.5
nvd
около 6 лет назад
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.