Critical severityNVD Advisory· Published Dec 4, 2019· Updated Aug 5, 2024

CVE-2019-17556

Description

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.olingo:odata-client-proxyMaven	>= 4.0.0, < 4.7.0	4.7.0

Affected products

ghsa-coords
pkg:maven/org.apache.olingo/odata-client-proxy
Range: >= 4.0.0, < 4.7.0
Apache/Olingocpe-rescue
Range: 4.0.0 to 4.6.0

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-gj76-429m-56wcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-17556ghsaADVISORY
github.com/apache/olingo-odata4/pull/60/filesghsaWEB
issues.apache.org/jira/browse/OLINGO-1410ghsaWEB
mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3Eghsamailing-listx_refsource_MLISTWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000