Vulnerability in Apache Olingo

CVE-2019-17554

The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, ca…

EPSS: 0.525 (98.0th percentile) — read the EPSS interpretation.

Affected products

Apache Olingo — versions 4.0.0 to 4.6.0

References

[olingo-user] 20191204 [SECURITY] CVE-2019-17554: XML External Entity resolution attack (mailing-list, x_refsource_MLIST)
20191210 CVE-2019-17554 - Apache Olingo OData 4.0 - XML External Entity Resolution (XXE) (mailing-list, x_refsource_BUGTRAQ)
packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.ht… (x_refsource_MISC)
[announce] 20200131 Apache Software Foundation Security Report: 2019 (mailing-list, x_refsource_MLIST)