Description
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
Remediation
References
https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E
Related Vulnerabilities
CVE-2023-40345 Vulnerability in maven package org.jenkins-ci.plugins:delphix
CVE-2023-50767 Vulnerability in maven package org.sonatype.nexus.ci:nexus-jenkins-plugin
CVE-2021-22569 Vulnerability in maven package com.google.protobuf:protobuf-java
CVE-2020-2111 Vulnerability in maven package org.jenkins-ci.plugins:subversion
CVE-2023-39685 Vulnerability in maven package org.hjson:hjson