oss-sec mailing list archives
CVE-2019-17555: Olingo: DoS via Retry-After header vulnerability
From: mibo <mibo () apache org>
Date: Wed, 4 Dec 2019 06:27:11 +0100
CVE-2019-17555: DoS via Retry-After header vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Olingo 4.0.0 to 4.6.0 The OData v2 versions of Olingo 2.x are not affected Description: The AsyncResponseWrapperImpl class reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack. Mitigation: 4.x.x users should upgrade to 4.7.0 Credit: This issue was discovered by Artem Smotrakov of SAP SE. Links: https://issues.apache.org/jira/browse/OLINGO-1411
Current thread:
- CVE-2019-17555: Olingo: DoS via Retry-After header vulnerability mibo (Dec 04)