Date: Wed, 8 Jan 2020 06:49:31 +0100 From: mibo <mibo@...che.org> To: oss-security@...ts.openwall.com Subject: [SECURITY] CVE-2020-1925: Possible SSRF in AsyncResponseWrapperImpl CVE-2020-1925: Possible SSRF in AsyncResponseWrapperImpl Severity: Important Vendor: The Apache Software Foundation Versions Affected: Olingo 4.0.0 to 4.7.0 The OData v2 versions of Olingo 2.x are not affected Description: The AsyncRequestWrapperImpl class reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker. Mitigation: 4.x.x users should upgrade to 4.7.1 Credit: This issue was discovered by Artem Smotrakov of SAP SE. Links: https://issues.apache.org/jira/browse/OLINGO-1416
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.