CVE-2019-17556
First published: Wed Dec 04 2019(Updated: )
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Olingo | >=4.0.0<=4.6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2019-17556?
CVE-2019-17556 is a vulnerability in Apache Olingo versions 4.0.0 to 4.6.0 that allows an attacker to run their code by feeding malicious metadata to the AbstractService class.
What is the severity of CVE-2019-17556?
CVE-2019-17556 is considered a critical vulnerability with a severity score of 9.8.
How does CVE-2019-17556 affect Apache Olingo?
CVE-2019-17556 affects Apache Olingo versions 4.0.0 to 4.6.0, where the AbstractService class, a public API, uses ObjectInputStream without properly checking deserialized classes.
How can an attacker exploit CVE-2019-17556?
An attacker can exploit CVE-2019-17556 by providing malicious metadata to the AbstractService class, allowing them to execute arbitrary code.
Is there a fix available for CVE-2019-17556?
Yes, users should update to a version of Apache Olingo that is not affected by CVE-2019-17556, specifically versions higher than 4.6.0.
- collector/nvd-index
- agent/references
- agent/severity
- agent/author
- agent/weakness
- agent/type
- agent/description
- agent/event
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache olingo
- version/apache olingo/4.0.0
- version/apache olingo/4.6.0