org.apache.olingo:odata-client-core

Maven3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting org.apache.olingo:odata-client-corepage 1 of 1

CVE-2019-17554MEDIUMCVSS 5.5EG 5.5✓ Fixed in 4.7.0
2019-12-04
vulnerable: 4.0.0 ... 4.6.0 (8 versions)
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, ca…
CVE-2019-17555HIGHCVSS 7.5EG 7.5✓ Fixed in 4.7.0
2019-12-04
vulnerable: 4.0.0 ... 4.6.0 (8 versions)
The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can he…
CVE-2020-1925HIGHCVSS 7.5EG 7.5✓ Fixed in 4.7.1
2020-01-09
vulnerable: 4.0.0 ... 4.7.0 (9 versions)
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks …

Check whether org.apache.olingo:odata-client-core is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.olingo:odata-client-core CVEs against the assets you own.

Start Free Scan →