Description
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
Remediation
References
https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d4vbSYaVh3aUWAvcVHK2qcFxxCZd3WAx3xbwZXskPX8nw%40mail.gmail.com%3E
Related Vulnerabilities
CVE-2023-36478 Vulnerability in maven package org.eclipse.jetty.http2:http2-hpack
CVE-2021-28655 Vulnerability in maven package org.apache.zeppelin:zeppelin
CVE-2022-42124 Vulnerability in maven package com.liferay:com.liferay.layout.page.template.service
CVE-2017-12617 Vulnerability in maven package org.apache.tomcat:catalina
CVE-2023-36478 Vulnerability in maven package org.eclipse.jetty.http2:http2-hpack