50 matches found
EUVD-2020-0289
Malware in sbrugna...
EUVD-2020-0315
Malware in sbrugna...
EUVD-2020-0304
Malware in sbrugna...
CVE-2019-17554
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks...
CVE-2019-17556
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case...
CVE-2019-17555
The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack...
olingo-odata: Server side request forgery in AsyncResponseWrapperImpl
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can...
VulnCheck KEV: CVE-2019-17554
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks...
GHSA-V4QH-6367-4CX2 Server-Side Request Forgery (SSRF) in Apache Olingo
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can...
Server-Side Request Forgery (SSRF) in Apache Olingo
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can...
com.github.davidmoten:odata-client-test-olingo-trip-pin (=0.2.6), com.github.davidmoten:odata-client-test-report (>=0.1.14 <=0.2.5) +1 more potentially affected by CVE-2019-17556 via org.apache.olingo:odata-client-proxy (>=4.0.0 <=4.6.0)
org.apache.olingo:odata-client-proxy MAVEN version =4.0.0, =0.1.14, =4.0.0, =4.10.0 Source cves: CVE-2019-17556 Source advisory: OSV:GHSA-GJ76-429M-56WC...
Deserialization of Untrusted Data in Apache Olingo
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case...
GHSA-GJ76-429M-56WC Deserialization of Untrusted Data in Apache Olingo
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case...
com.genexus:gxodata (>=2.6.2 <=2.7.27), com.github.axway-api-management-plus.apim-cli:apimcli-apim-adapter (>=1.14.4 <=1.14.13) +44 more potentially affected by CVE-2019-17554 via org.apache.olingo:odata-client-core (>=4.0.0 <=4.6.0)
org.apache.olingo:odata-client-core MAVEN version =4.0.0, =2.6.2, =1.14.4, =1.14.4, =1.14.4, =1.14.4, =1.14.4, =1.14.4, =1.14.4, =1.14.4, =1.14.4, =0.1.14, =1.0.0-RELEASE, =1.0.0-RELEASE, =4.26.0, =5.2.0 and more Source cves: CVE-2019-17554 Source advisory: OSV...
Improper Restriction of XML External Entity Reference in Apache Olingo
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks...
GHSA-MGH8-HCWJ-H57V Improper Restriction of XML External Entity Reference in Apache Olingo
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks...
GHSA-477X-W7M6-C6PH Improper input validation in Apache Olingo
The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack...
Improper input validation in Apache Olingo
The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack...
CVE-2020-1925
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can...
Apache Olingo SSRF Attack Vulnerability
Apache Olingo is a U.S. Apache Apache Software Foundation for the implementation of Open Data Protocol OData, Open Data Protocol Java library. Apache Olingo SSRF attack vulnerability can be exploited by an attacker to trick a client into connecting to a malicious server, then the server can cause...