CVE-2019-17556: Deserialization of Untrusted Data

February 4, 2020 (updated August 19, 2021)

Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn’t check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker’s code in the worse case.

References

github.com/advisories/GHSA-gj76-429m-56wc
github.com/apache/olingo-odata4/pull/60/files
nvd.nist.gov/vuln/detail/CVE-2019-17556

Detect and mitigate CVE-2019-17556 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →