CVE-2019-17556

Summary

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

Affected Software

VendorProductVersion RangeStatus
ApacheOlingo4.0.0 to 4.6.0affected

Weaknesses

  • Deserialization vulnerability

ADP Enrichment

CVE Program Container

Additional References

References