Maven package
org.apache.olingo/odata-client-core
pkg:maven/org.apache.olingo/odata-client-core
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-1925 | — | >= 4.0.0, < 4.7.1 | 4.7.1 | Jan 9, 2020 | Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server | ||
| CVE-2019-17555 | — | >= 4.0.0, < 4.7.0 | 4.7.0 | Dec 4, 2019 | The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack. | ||
| CVE-2019-17554 | — | >= 4.0.0, < 4.7.0 | 4.7.0 | Dec 4, 2019 | The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks. |
- CVE-2020-1925Jan 9, 2020affected >= 4.0.0, < 4.7.1fixed 4.7.1
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server
- CVE-2019-17555Dec 4, 2019affected >= 4.0.0, < 4.7.0fixed 4.7.0
The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack.
- CVE-2019-17554Dec 4, 2019affected >= 4.0.0, < 4.7.0fixed 4.7.0
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.