CVE-2019-17554: XML External Entity resolution attack Severity: Important Vendor: The Apache Software Foundation
Versions Affected: Olingo 4.0.0 to 4.6.0 The OData v2 versions of Olingo 2.x are not affected Description: The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks. Mitigation: 4.x.x users should upgrade to 4.7.0 Credit: This issue was discovered by Archibald Haddock of Compass Security Schweiz AG. Links: https://issues.apache.org/jira/browse/OLINGO-1409
