Vulnerabilities > CVE-2019-17554 - XXE vulnerability in Apache Olingo
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 22 |
Common Weakness Enumeration (CWE)
Exploit-Db
| id | EDB-ID:47770 |
| last seen | 2019-12-11 |
| modified | 2019-12-11 |
| published | 2019-12-11 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/47770 |
| title | Apache Olingo OData 4.0 - XML External Entity Injection |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/155619/CSNC-2009-025.txt |
| id | PACKETSTORM:155619 |
| last seen | 2019-12-12 |
| published | 2019-12-10 |
| reporter | Archibald Haddock |
| source | https://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html |
| title | Apache Olingo OData 4.6.x XML Injection |
References
- https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
- https://seclists.org/bugtraq/2019/Dec/11
- http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.html
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E