CVE-2019-17554
CVE-2019-17554
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
Affected products
Apache · Olingopublic PoCs found — 2
cve_referencepacketstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.htmlunverifiedexploitdbwww.exploit-db.com/exploits/47770unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/155619/Apache-Olingo-OData-4.6.x-XML-Injection.htmlhttps://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3Ehttps://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3Ehttps://seclists.org/bugtraq/2019/Dec/11