CVE-2019-17556

Опубликовано: 04 дек. 2019

Источник: nvd

CVSS3: 9.8

CVSS2: 10

EPSS Низкий

Описание

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Ссылки

https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E
Mailing List
Vendor Advisory
https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:olingo:*:*:*:*:*:*:*:*

Версия от 4.0.0 (включая) до 4.6.0 (включая)

EPSS

Процентиль: 73%

0.00782

Низкий

9.8 Critical

CVSS3

10 Critical

CVSS2

Дефекты

CWE-502

Связанные уязвимости

GHSA-gj76-429m-56wc