CVE-2020-1925

CVE-2020-1925 - Apache Olingo SSRF issue : Multiple sources describe a vulnerability in Apache Olingo versions 4.0.0–4.7.0 where the AsyncRequestWrapperImpl reads a URL from the Location header and then issues a GET or DELETE request to that URL. This can enable a Server-Side Request Forgery (SSR...

CVE-2019-17554

The CVE-2019-17554 issue affects the Apache Olingo OData library (versions 4.0.0–4.6.0). The root cause is that the XML content-type entity deserializer is not configured to deny resolution of external entities, allowing an incoming request with content type application/xml to trigger the deseria...

CVE-2019-17555

CVE-2019-17555 affects Apache Olingo 4.0.0–4.6.0. The AsyncResponseWrapperImpl reads the Retry-After header and passes it directly to Thread.sleep() without validation. A malicious server could supply a huge value, enabling a denial-of-service (DoS) via blocking sleep duration. Public records (RH...

CVE-2019-17556

CVE-2019-17556 concerns Apache Olingo, where versions 4.0.0 to 4.6.0 expose the AbstractService class (public API) that uses ObjectInputStream without validating deserialized classes. This unsafe deserialization could let an attacker feed malicious metadata and potentially execute attacker-contro...