csaf_opensuse - opensuse-su-2021:0140-1

opensuse-su-2021:0140-1

Vulnerability from csaf_opensuse

Published

2021-01-22 16:22

Modified

2021-01-22 16:22

Summary

Security update for xstream

Notes

Title of the patch

Security update for xstream

Description of the patch

This update for xstream fixes the following issues: xstream was updated to version 1.4.15. - CVE-2020-26217: Fixed a remote code execution due to insecure XML deserialization when relying on blocklists (bsc#1180994). - CVE-2020-26258: Fixed a server-side request forgery vulnerability (bsc#1180146). - CVE-2020-26259: Fixed an arbitrary file deletion vulnerability (bsc#1180145). This update was imported from the SUSE:SLE-15-SP2:Update update project.

Patchnames

openSUSE-2021-140

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for xstream",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for xstream fixes the following issues:\n\nxstream was updated to version 1.4.15.\n\n- CVE-2020-26217: Fixed a remote code execution due to insecure XML deserialization when relying on blocklists (bsc#1180994).\n- CVE-2020-26258: Fixed a server-side request forgery vulnerability (bsc#1180146).\n- CVE-2020-26259: Fixed an arbitrary file deletion vulnerability (bsc#1180145).\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2021-140",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0140-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2021:0140-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CTO6QRFLVKVHOYBP6VLJP4KZXZFZSKET/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2021:0140-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CTO6QRFLVKVHOYBP6VLJP4KZXZFZSKET/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1180145",
        "url": "https://bugzilla.suse.com/1180145"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1180146",
        "url": "https://bugzilla.suse.com/1180146"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1180994",
        "url": "https://bugzilla.suse.com/1180994"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-26217 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-26217/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-26258 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-26258/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-26259 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-26259/"
      }
    ],
    "title": "Security update for xstream",
    "tracking": {
      "current_release_date": "2021-01-22T16:22:21Z",
      "generator": {
        "date": "2021-01-22T16:22:21Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2021:0140-1",
      "initial_release_date": "2021-01-22T16:22:21Z",
      "revision_history": [
        {
          "date": "2021-01-22T16:22:21Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "xstream-1.4.15-lp152.2.3.1.noarch",
                "product": {
                  "name": "xstream-1.4.15-lp152.2.3.1.noarch",
                  "product_id": "xstream-1.4.15-lp152.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "xstream-benchmark-1.4.15-lp152.2.3.1.noarch",
                "product": {
                  "name": "xstream-benchmark-1.4.15-lp152.2.3.1.noarch",
                  "product_id": "xstream-benchmark-1.4.15-lp152.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "xstream-javadoc-1.4.15-lp152.2.3.1.noarch",
                "product": {
                  "name": "xstream-javadoc-1.4.15-lp152.2.3.1.noarch",
                  "product_id": "xstream-javadoc-1.4.15-lp152.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "xstream-parent-1.4.15-lp152.2.3.1.noarch",
                "product": {
                  "name": "xstream-parent-1.4.15-lp152.2.3.1.noarch",
                  "product_id": "xstream-parent-1.4.15-lp152.2.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.2",
                "product": {
                  "name": "openSUSE Leap 15.2",
                  "product_id": "openSUSE Leap 15.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xstream-1.4.15-lp152.2.3.1.noarch as component of openSUSE Leap 15.2",
          "product_id": "openSUSE Leap 15.2:xstream-1.4.15-lp152.2.3.1.noarch"
        },
        "product_reference": "xstream-1.4.15-lp152.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xstream-benchmark-1.4.15-lp152.2.3.1.noarch as component of openSUSE Leap 15.2",
          "product_id": "openSUSE Leap 15.2:xstream-benchmark-1.4.15-lp152.2.3.1.noarch"
        },
        "product_reference": "xstream-benchmark-1.4.15-lp152.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xstream-javadoc-1.4.15-lp152.2.3.1.noarch as component of openSUSE Leap 15.2",
          "product_id": "openSUSE Leap 15.2:xstream-javadoc-1.4.15-lp152.2.3.1.noarch"
        },
        "product_reference": "xstream-javadoc-1.4.15-lp152.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "xstream-parent-1.4.15-lp152.2.3.1.noarch as component of openSUSE Leap 15.2",
          "product_id": "openSUSE Leap 15.2:xstream-parent-1.4.15-lp152.2.3.1.noarch"
        },
        "product_reference": "xstream-parent-1.4.15-lp152.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-26217",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-26217"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream\u0027s Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.2:xstream-1.4.15-lp152.2.3.1.noarch",
          "openSUSE Leap 15.2:xstream-benchmark-1.4.15-lp152.2.3.1.noarch",
          "openSUSE Leap 15.2:xstream-javadoc-1.4.15-lp152.2.3.1.noarch",
          "openSUSE Leap 15.2:xstream-parent-1.4.15-lp152.2.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-26217",
          "url": "https://www.suse.com/security/cve/CVE-2020-26217"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1180994 for CVE-2020-26217",
          "url": "https://bugzilla.suse.com/1180994"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.2:xstream-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-benchmark-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-javadoc-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-parent-1.4.15-lp152.2.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.2:xstream-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-benchmark-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-javadoc-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-parent-1.4.15-lp152.2.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2021-01-22T16:22:21Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-26217"
    },
    {
      "cve": "CVE-2020-26258",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-26258"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream\u0027s default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream\u0027s Security Framework with a whitelist! Anyone relying on XStream\u0027s default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.2:xstream-1.4.15-lp152.2.3.1.noarch",
          "openSUSE Leap 15.2:xstream-benchmark-1.4.15-lp152.2.3.1.noarch",
          "openSUSE Leap 15.2:xstream-javadoc-1.4.15-lp152.2.3.1.noarch",
          "openSUSE Leap 15.2:xstream-parent-1.4.15-lp152.2.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-26258",
          "url": "https://www.suse.com/security/cve/CVE-2020-26258"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1180146 for CVE-2020-26258",
          "url": "https://bugzilla.suse.com/1180146"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.2:xstream-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-benchmark-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-javadoc-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-parent-1.4.15-lp152.2.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.2:xstream-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-benchmark-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-javadoc-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-parent-1.4.15-lp152.2.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2021-01-22T16:22:21Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-26258"
    },
    {
      "cve": "CVE-2020-26259",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-26259"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream\u0027s default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream\u0027s Security Framework with a whitelist! Anyone relying on XStream\u0027s default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.2:xstream-1.4.15-lp152.2.3.1.noarch",
          "openSUSE Leap 15.2:xstream-benchmark-1.4.15-lp152.2.3.1.noarch",
          "openSUSE Leap 15.2:xstream-javadoc-1.4.15-lp152.2.3.1.noarch",
          "openSUSE Leap 15.2:xstream-parent-1.4.15-lp152.2.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-26259",
          "url": "https://www.suse.com/security/cve/CVE-2020-26259"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1180145 for CVE-2020-26259",
          "url": "https://bugzilla.suse.com/1180145"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.2:xstream-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-benchmark-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-javadoc-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-parent-1.4.15-lp152.2.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.2:xstream-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-benchmark-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-javadoc-1.4.15-lp152.2.3.1.noarch",
            "openSUSE Leap 15.2:xstream-parent-1.4.15-lp152.2.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2021-01-22T16:22:21Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-26259"
    }
  ]
}

CVE-2020-26258 (GCVE-0-2020-26258)

Vulnerability from cvelistv5

Published

2020-12-16 01:05

Modified

2025-01-15 20:20

Severity ?

6.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

References

►

URL

Tags

	https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28	x_refsource_CONFIRM
	https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20210409-0005	x_refsource_MISC
	https://www.debian.org/security/2021/dsa-4828	x_refsource_MISC
	https://x-stream.github.io/CVE-2020-26258.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	x-stream	xstream	Version: < 1.4.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:56:04.631Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://x-stream.github.io/CVE-2020-26258.html"
          },
          {
            "name": "[struts-commits] 20201221 [struts] branch master updated: Upgrades XStream to version 1.4.15 to address CVE-2020-26258, CVE-2020-26259",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E"
          },
          {
            "name": "[debian-lts-announce] 20201231 [SECURITY] [DLA 2507-1] libxstream-java security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html"
          },
          {
            "name": "DSA-4828",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4828"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210409-0005/"
          },
          {
            "name": "FEDORA-2021-fbad11014a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"
          },
          {
            "name": "FEDORA-2021-d894ca87dc",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"
          },
          {
            "name": "FEDORA-2021-5e376c0ed9",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xstream",
          "vendor": "x-stream",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.15"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream\u0027s default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream\u0027s Security Framework with a whitelist! Anyone relying on XStream\u0027s default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-15T20:20:17.971Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28"
        },
        {
          "name": "https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E"
        },
        {
          "name": "https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html"
        },
        {
          "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"
        },
        {
          "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"
        },
        {
          "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"
        },
        {
          "name": "https://security.netapp.com/advisory/ntap-20210409-0005",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210409-0005"
        },
        {
          "name": "https://www.debian.org/security/2021/dsa-4828",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4828"
        },
        {
          "name": "https://x-stream.github.io/CVE-2020-26258.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://x-stream.github.io/CVE-2020-26258.html"
        }
      ],
      "source": {
        "advisory": "GHSA-4cch-wxpw-8p28",
        "discovery": "UNKNOWN"
      },
      "title": "Server-Side Forgery Request can be activated unmarshalling with XStream"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-26258",
    "datePublished": "2020-12-16T01:05:22",
    "dateReserved": "2020-10-01T00:00:00",
    "dateUpdated": "2025-01-15T20:20:17.971Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-26259 (GCVE-0-2020-26259)

Vulnerability from cvelistv5

Published

2020-12-16 01:05

Modified

2024-08-04 15:56

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-78 - OS Command Injection

Summary

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

References

►

URL

Tags

	https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh	x_refsource_CONFIRM
	https://x-stream.github.io/CVE-2020-26259.html	x_refsource_MISC
	https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2021/dsa-4828	vendor-advisory, x_refsource_DEBIAN
	https://security.netapp.com/advisory/ntap-20210409-0005/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/	vendor-advisory, x_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	x-stream	xstream	Version: < 1.4.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:56:04.167Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://x-stream.github.io/CVE-2020-26259.html"
          },
          {
            "name": "[struts-commits] 20201221 [struts] branch master updated: Upgrades XStream to version 1.4.15 to address CVE-2020-26258, CVE-2020-26259",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E"
          },
          {
            "name": "[debian-lts-announce] 20201231 [SECURITY] [DLA 2507-1] libxstream-java security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html"
          },
          {
            "name": "DSA-4828",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4828"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210409-0005/"
          },
          {
            "name": "FEDORA-2021-fbad11014a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"
          },
          {
            "name": "FEDORA-2021-d894ca87dc",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"
          },
          {
            "name": "FEDORA-2021-5e376c0ed9",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xstream",
          "vendor": "x-stream",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.15"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream\u0027s default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream\u0027s Security Framework with a whitelist! Anyone relying on XStream\u0027s default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 OS Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-30T01:08:04",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://x-stream.github.io/CVE-2020-26259.html"
        },
        {
          "name": "[struts-commits] 20201221 [struts] branch master updated: Upgrades XStream to version 1.4.15 to address CVE-2020-26258, CVE-2020-26259",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E"
        },
        {
          "name": "[debian-lts-announce] 20201231 [SECURITY] [DLA 2507-1] libxstream-java security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html"
        },
        {
          "name": "DSA-4828",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4828"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210409-0005/"
        },
        {
          "name": "FEDORA-2021-fbad11014a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"
        },
        {
          "name": "FEDORA-2021-d894ca87dc",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"
        },
        {
          "name": "FEDORA-2021-5e376c0ed9",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"
        }
      ],
      "source": {
        "advisory": "GHSA-jfvx-7wrx-43fh",
        "discovery": "UNKNOWN"
      },
      "title": "XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-26259",
          "STATE": "PUBLIC",
          "TITLE": "XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "xstream",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.4.15"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "x-stream"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream\u0027s default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream\u0027s Security Framework with a whitelist! Anyone relying on XStream\u0027s default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78 OS Command Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh",
              "refsource": "CONFIRM",
              "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh"
            },
            {
              "name": "https://x-stream.github.io/CVE-2020-26259.html",
              "refsource": "MISC",
              "url": "https://x-stream.github.io/CVE-2020-26259.html"
            },
            {
              "name": "[struts-commits] 20201221 [struts] branch master updated: Upgrades XStream to version 1.4.15 to address CVE-2020-26258, CVE-2020-26259",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20201231 [SECURITY] [DLA 2507-1] libxstream-java security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html"
            },
            {
              "name": "DSA-4828",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4828"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210409-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210409-0005/"
            },
            {
              "name": "FEDORA-2021-fbad11014a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"
            },
            {
              "name": "FEDORA-2021-d894ca87dc",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"
            },
            {
              "name": "FEDORA-2021-5e376c0ed9",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-jfvx-7wrx-43fh",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-26259",
    "datePublished": "2020-12-16T01:05:16",
    "dateReserved": "2020-10-01T00:00:00",
    "dateUpdated": "2024-08-04T15:56:04.167Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-26217 (GCVE-0-2020-26217)

Vulnerability from cvelistv5

Published

2020-11-16 21:00

Modified

2024-08-04 15:49

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-78 - OS Command Injection

Summary

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

References

►

URL

Tags

	https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2	x_refsource_CONFIRM
	https://x-stream.github.io/CVE-2020-26217.html	x_refsource_CONFIRM
	https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2020/dsa-4811	vendor-advisory, x_refsource_DEBIAN
	https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E	mailing-list, x_refsource_MLIST
	https://www.oracle.com/security-alerts/cpuApr2021.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20210409-0004/	x_refsource_CONFIRM
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
	https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E	mailing-list, x_refsource_MLIST
	https://www.oracle.com/security-alerts/cpuoct2021.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	x-stream	xstream	Version: < 1.4.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:49:07.258Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://x-stream.github.io/CVE-2020-26217.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"
          },
          {
            "name": "[debian-lts-announce] 20201201 [SECURITY] [DLA 2471-1] libxstream-java security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html"
          },
          {
            "name": "DSA-4811",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4811"
          },
          {
            "name": "[activemq-issues] 20201230 [jira] [Created] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E"
          },
          {
            "name": "[activemq-issues] 20201230 [jira] [Updated] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E"
          },
          {
            "name": "[activemq-issues] 20210104 [jira] [Resolved] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210409-0004/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "name": "[camel-commits] 20211006 [camel] branch main updated: Camel-XStream: Added a test about CVE-2020-26217",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xstream",
          "vendor": "x-stream",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream\u0027s Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 OS Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-19T23:22:18",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://x-stream.github.io/CVE-2020-26217.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"
        },
        {
          "name": "[debian-lts-announce] 20201201 [SECURITY] [DLA 2471-1] libxstream-java security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html"
        },
        {
          "name": "DSA-4811",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4811"
        },
        {
          "name": "[activemq-issues] 20201230 [jira] [Created] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E"
        },
        {
          "name": "[activemq-issues] 20201230 [jira] [Updated] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E"
        },
        {
          "name": "[activemq-issues] 20210104 [jira] [Resolved] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210409-0004/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "name": "[camel-commits] 20211006 [camel] branch main updated: Camel-XStream: Added a test about CVE-2020-26217",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        }
      ],
      "source": {
        "advisory": "GHSA-mw36-7c6c-q4q2",
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution in XStream",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-26217",
          "STATE": "PUBLIC",
          "TITLE": "Remote Code Execution in XStream"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "xstream",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.4.14"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "x-stream"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream\u0027s Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78 OS Command Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2",
              "refsource": "CONFIRM",
              "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2"
            },
            {
              "name": "https://x-stream.github.io/CVE-2020-26217.html",
              "refsource": "CONFIRM",
              "url": "https://x-stream.github.io/CVE-2020-26217.html"
            },
            {
              "name": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a",
              "refsource": "CONFIRM",
              "url": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"
            },
            {
              "name": "[debian-lts-announce] 20201201 [SECURITY] [DLA 2471-1] libxstream-java security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html"
            },
            {
              "name": "DSA-4811",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4811"
            },
            {
              "name": "[activemq-issues] 20201230 [jira] [Created] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E"
            },
            {
              "name": "[activemq-issues] 20201230 [jira] [Updated] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E"
            },
            {
              "name": "[activemq-issues] 20210104 [jira] [Resolved] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210409-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210409-0004/"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "[camel-commits] 20211006 [camel] branch main updated: Camel-XStream: Added a test about CVE-2020-26217",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-mw36-7c6c-q4q2",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-26217",
    "datePublished": "2020-11-16T21:00:18",
    "dateReserved": "2020-10-01T00:00:00",
    "dateUpdated": "2024-08-04T15:49:07.258Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2021:0140-1

Vulnerability from csaf_opensuse

CVE-2020-26258 (GCVE-0-2020-26258)

Vulnerability from cvelistv5

CVE-2020-26259 (GCVE-0-2020-26259)

Vulnerability from cvelistv5

CVE-2020-26217 (GCVE-0-2020-26217)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature