SB2020011326 - Server-Side Request Forgery (SSRF) in Apache Olingo library

Description

This security bulletin contains information about 1 security vulnerability.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2020-1925)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to the AsyncRequestWrapperImpl class reads a URL from the Location header, and then sends a GET or DELETE request to this URL. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Remediation

Install update from vendor's website.

References

• https://mail-archives.apache.org/mod_mbox/olingo-user/202001.mbox/%3CCAGSZ4d6HwpF2woOrZJg_d0SkHytXJaCtAWXa3ZtBn33WG0YFvw%40mail.gmail.com%3E
• https://github.com/apache/olingo-odata4/pull/63/files