CVE List

CVE-2019-17554

Moderate 5.5

The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.

Published December 4, 2019.

Affected software

Apache Olingo

Reference links

Sign Up for Alerts