oss-sec mailing list archives
CVE-2019-17554: Olingo: XML External Entity resolution attack
From: mibo <mibo () apache org>
Date: Wed, 4 Dec 2019 06:25:00 +0100
CVE-2019-17554: XML External Entity resolution attack Severity: Important Vendor: The Apache Software Foundation Versions Affected: Olingo 4.0.0 to 4.6.0 The OData v2 versions of Olingo 2.x are not affected Description: The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks. Mitigation: 4.x.x users should upgrade to 4.7.0 Credit: This issue was discovered by Archibald Haddock of Compass Security Schweiz AG. Links: https://issues.apache.org/jira/browse/OLINGO-1409
Current thread:
- CVE-2019-17554: Olingo: XML External Entity resolution attack mibo (Dec 04)