Vulnerability Details CVE-2020-1925
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.012
EPSS Ranking 77.9%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
Products affected by CVE-2020-1925
-
cpe:2.3:a:apache:olingo:4.0.0
-
cpe:2.3:a:apache:olingo:4.1.0
-
cpe:2.3:a:apache:olingo:4.2.0
-
cpe:2.3:a:apache:olingo:4.3.0
-
cpe:2.3:a:apache:olingo:4.4.0
-
cpe:2.3:a:apache:olingo:4.6.0
-
cpe:2.3:a:apache:olingo:4.7.0