olingo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mibo <m...@apache.org>
Subject [SECURITY] CVE-2020-1925: Possible SSRF in AsyncResponseWrapperImpl
Date Wed, 08 Jan 2020 05:49:04 GMT
CVE-2020-1925: Possible SSRF in AsyncResponseWrapperImpl

Severity: Important
Vendor: The Apache Software Foundation

Versions Affected:
Olingo 4.0.0 to 4.7.0
The OData v2 versions of Olingo 2.x are not affected

The AsyncRequestWrapperImpl class reads a URL from the Location
header, and then sends a GET or DELETE request to this URL. It may
allow to implement a SSRF attack. If an attacker tricks a client to
connect to a malicious server, the server can make the client call any
URL including internal resources which are not directly accessible by
the attacker.

4.x.x users should upgrade to 4.7.1

This issue was discovered by Artem Smotrakov of SAP SE.


View raw message