CVE-2019-17554: Improper Restriction of XML External Entity Reference

February 4, 2020 (updated August 19, 2021)

The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type “application/xml”, which trigger the deserialization of entities, can be used to trigger XXE attacks.

References

github.com/advisories/GHSA-mgh8-hcwj-h57v
github.com/apache/olingo-odata4/commit/5948974ad28271818e2afe747c71cde56a7f2c63
github.com/apache/olingo-odata4/commit/c3f982db3d97e395d313ae8f231202bb2139882c
nvd.nist.gov/vuln/detail/CVE-2019-17554

Code Behaviors & Features

Detect and mitigate CVE-2019-17554 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →