From user-return-1804-archive-asf-public=cust-asf.ponee.io@olingo.apache.org Wed Jan 8 05:49:17 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 664A918067C for ; Wed, 8 Jan 2020 06:49:17 +0100 (CET) Received: (qmail 71673 invoked by uid 500); 8 Jan 2020 05:49:16 -0000 Mailing-List: contact user-help@olingo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@olingo.apache.org Delivered-To: mailing list user@olingo.apache.org Received: (qmail 71644 invoked by uid 99); 8 Jan 2020 05:49:16 -0000 Received: from Unknown (HELO mailrelay1-lw-us.apache.org) (10.10.3.159) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Jan 2020 05:49:16 +0000 Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 084EB6222 for ; Wed, 8 Jan 2020 05:49:16 +0000 (UTC) Received: by mail-ed1-f45.google.com with SMTP id v28so1538010edw.12 for ; Tue, 07 Jan 2020 21:49:15 -0800 (PST) X-Gm-Message-State: APjAAAV4IdME4MT4HmJ8fiTGR73h0zSBEqIO4e/3dZUgZAPJBl+99nT8 H21K6vyWYZUKedQxpyyk2yJLd/jt2CVnao1HYdw= X-Google-Smtp-Source: APXvYqx7/JkAAlsEkrX1EbyXjxXGricmjmvpVsHp2yNacc9yuEr1Lw4Ety7TJTERmM6dqFceGBiTyb815oxGNyz7GSg= X-Received: by 2002:a50:fb8f:: with SMTP id e15mr3704418edq.239.1578462555221; Tue, 07 Jan 2020 21:49:15 -0800 (PST) MIME-Version: 1.0 From: mibo Date: Wed, 8 Jan 2020 06:49:04 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: [SECURITY] CVE-2020-1925: Possible SSRF in AsyncResponseWrapperImpl To: announce@apache.org, security@apache.org, user@olingo.apache.org Content-Type: text/plain; charset="UTF-8" CVE-2020-1925: Possible SSRF in AsyncResponseWrapperImpl Severity: Important Vendor: The Apache Software Foundation Versions Affected: Olingo 4.0.0 to 4.7.0 The OData v2 versions of Olingo 2.x are not affected Description: The AsyncRequestWrapperImpl class reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker. Mitigation: 4.x.x users should upgrade to 4.7.1 Credit: This issue was discovered by Artem Smotrakov of SAP SE. Links: https://issues.apache.org/jira/browse/OLINGO-1416