CVE-2019-17554

Опубликовано: 04 дек. 2019

Источник: nvd

CVSS3: 5.5

CVSS2: 4.3

EPSS Средний

Описание

The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.

Ссылки

http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html
Exploit
Third Party Advisory
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
Mailing List
Vendor Advisory
https://seclists.org/bugtraq/2019/Dec/11
Exploit
Third Party Advisory
http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html
Exploit
Third Party Advisory
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
Mailing List
Vendor Advisory
https://seclists.org/bugtraq/2019/Dec/11
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:olingo:*:*:*:*:*:*:*:*

Версия от 4.0.0 (включая) до 4.6.0 (включая)

EPSS

Процентиль: 98%

0.52533

Средний

5.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-611

Связанные уязвимости

GHSA-mgh8-hcwj-h57v