Description
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
Remediation
References
https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E
Related Vulnerabilities
CVE-2022-34213 Vulnerability in maven package org.jenkins-ci.plugins:squashtm-publisher
CVE-2019-10378 Vulnerability in maven package org.jenkins-ci.plugins:testlink
CVE-2022-23307 Vulnerability in maven package org.apache.logging.log4j:log4j
CVE-2023-46652 Vulnerability in maven package org.jenkins-ci.plugins:lambdatest-automation
CVE-2023-49397 Vulnerability in maven package com.jfinal:jfinal