GSD-2019-17556
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-17556",
"description": "Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn\u0027t check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker\u0027s code in the worse case.",
"id": "GSD-2019-17556"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-17556"
],
"details": "Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn\u0027t check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker\u0027s code in the worse case.",
"id": "GSD-2019-17556",
"modified": "2023-12-13T01:23:44.330342Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-17556",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Olingo",
"version": {
"version_data": [
{
"version_value": "4.0.0 to 4.6.0"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn\u0027t check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker\u0027s code in the worse case."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Deserialization vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17556: Deserialization vulnerability",
"refsource": "MLIST",
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[4.0.0,4.6.0]",
"affected_versions": "All versions starting from 4.0.0 up to 4.6.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-502",
"CWE-937"
],
"date": "2021-08-19",
"description": "Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn\u0027t check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker\u0027s code in the worse case.",
"fixed_versions": [
"4.7.0"
],
"identifier": "CVE-2019-17556",
"identifiers": [
"GHSA-gj76-429m-56wc",
"CVE-2019-17556"
],
"not_impacted": "All versions before 4.0.0, all versions after 4.6.0",
"package_slug": "maven/org.apache.olingo/odata-client-proxy",
"pubdate": "2020-02-04",
"solution": "Upgrade to version 4.7.0 or above.",
"title": "Deserialization of Untrusted Data",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-17556",
"https://github.com/apache/olingo-odata4/pull/60/files",
"https://github.com/advisories/GHSA-gj76-429m-56wc"
],
"uuid": "48b8ccf5-82f3-46e1-91ab-095c64a9055b"
},
{
"affected_range": "[4.0.0,4.6.0]",
"affected_versions": "All versions starting from 4.0.0 up to 4.6.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-502",
"CWE-937"
],
"date": "2019-12-13",
"description": "Apache Olingo provides the `AbstractService` class, which is public API, uses `ObjectInputStream` and does not check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker\u0027s code in the worse case.",
"fixed_versions": [
"4.7.0"
],
"identifier": "CVE-2019-17556",
"identifiers": [
"CVE-2019-17556"
],
"not_impacted": "All versions before 4.0.0, all versions after 4.6.0",
"package_slug": "maven/org.apache.olingo/odata-server-core",
"pubdate": "2019-12-04",
"solution": "Upgrade to version 4.7.0 or above.",
"title": "Deserialization of Untrusted Data",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-17556",
"https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E"
],
"uuid": "084b3fa9-c6ee-4e11-8b42-94e763a1609e"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:olingo:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.6.0",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-17556"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn\u0027t check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker\u0027s code in the worse case."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[olingo-user] 20191204 [SECURITY] CVE-2019-17556: Deserialization vulnerability",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2019-12-13T22:19Z",
"publishedDate": "2019-12-04T17:16Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…