What is CVE-2019-17556?

CVE-2019-17556 is a vulnerability in Apache Olingo. Published 2019-12-04.

Is CVE-2019-17556 known to be exploited?

26 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Olingo

CVE-2019-17556

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result…

EPSS: 0.008 (74.1th percentile) — read the EPSS interpretation.

Affected products

Apache Olingo — versions 4.0.0 to 4.6.0

Public proof-of-concept exploits

ARPSyndicate/cvemon
AdeliaNitzsche/Java-Deserialization-Cheat-Sheet
BrittanyKuhn/javascript-tutorial
CnHack3r/Penetration_
EchoGin404/-
EchoGin404/gongkaishouji
GrrrDog/Java-Deserialization-Cheat-Sheet
Mr-xn/Penetration_
PalindromeLabs/Java-Deserialization-CVEs
Tyro-Shan/gongkaishouji

References

[olingo-user] 20191204 [SECURITY] CVE-2019-17556: Deserialization vulnerability (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2019-17556?: CVE-2019-17556 is a vulnerability in Apache Olingo. Published 2019-12-04.
Is CVE-2019-17556 known to be exploited?: 26 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.