7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-1925

GHSA ID

GHSA-v4qh-6367-4cx2

EPSS Score

0.77804%

CWE

CWE-918

Published

2/4/2020

Updated

1/9/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-1925

CVE-2020-1925: Server-Side Request Forgery (SSRF) in Apache Olingo

Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-1925

GHSA ID

GHSA-v4qh-6367-4cx2

EPSS Score

0.77804%

CWE

CWE-918

Published

2/4/2020

Updated

1/9/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.olingo:odata-client-core	maven	>= 4.0.0, <= 4.7.0	4.7.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The CVE description directly implicates AsyncRequestWrapperImpl as the vulnerable class handling Location headers. While exact patch details are unavailable, the SSRF mechanism requires: 1) A function retrieving Location headers (likely handleRedirect), and 2) A function executing requests to those URLs (execute method). These would appear in stack traces when processing malicious Location values. Confidence is high for handleRedirect as it's explicitly described as the processing point, and medium for execute as the request execution entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Olin*o v*rsions *.*.* to *.*.* provi** t** *syn*R*qu*stWr*pp*rImpl *l*ss w*i** r***s * URL *rom t** Lo**tion *****r, *n* t**n s*n*s * **T or **L*T* r*qu*st to t*is URL. It m*y *llow to impl*m*nt * SSR* *tt**k. I* *n *tt**k*r tri*ks * *li*nt to

Reasoning

T** *V* **s*ription *ir**tly impli**t*s `*syn*R*qu*stWr*pp*rImpl` *s t** vuln*r**l* *l*ss **n*lin* Lo**tion *****rs. W*il* *x**t p*t** **t*ils *r* un*v*il**l*, t** SSR* m****nism r*quir*s: *) * *un*tion r*tri*vin* Lo**tion *****rs (lik*ly `**n*l*R**i

7.5

Basic Information

Concerned about an active attack path?

CVE-2020-1925: Server-Side Request Forgery (SSRF) in Apache Olingo

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI