CVE-2019-17554: Improper Restriction of XML External Entity Reference

December 4, 2019 (updated December 13, 2019)

The XML content type entity deserializer in Apache Olingo is not configured to deny the resolution of external entities. Request with content type application/xml, which trigger the deserialization of entities, can be used to trigger XXE attacks.

References

mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
nvd.nist.gov/vuln/detail/CVE-2019-17554

Detect and mitigate CVE-2019-17554 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →