CVE-2020-26217
Remote Code Execution in XStream
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
XStream anterior a versión 1.4.14, es vulnerable a una ejecución de código remota. La vulnerabilidad puede permitir a un atacante remoto ejecutar comandos de shell arbitrarios solo manipulando el flujo de entrada procesado. Solo los usuarios que dependen de las listas de bloqueo están afectados. Cualquiera que utilice la lista de permitidos del Security Framework de XStream no estará afectado. El aviso vinculado proporciona soluciones de código para usuarios que no pueden actualizar. El problema se corrigió en la versión 1.4.14
A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-10-01 CVE Reserved
- 2020-11-16 CVE Published
- 2020-12-08 First Exploit
- 2024-08-04 CVE Updated
- 2024-10-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (19)
URL | Date | SRC |
---|---|---|
https://github.com/Al1ex/CVE-2020-26217 | 2021-01-22 | |
https://github.com/novysodope/CVE-2020-26217-XStream-RCE-POC | 2020-12-08 | |
https://x-stream.github.io/CVE-2020-26217.html | 2024-08-04 |
URL | Date | SRC |
---|---|---|
https://www.debian.org/security/2020/dsa-4811 | 2023-11-07 | |
https://access.redhat.com/security/cve/CVE-2020-26217 | 2021-12-14 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1898907 | 2021-12-14 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Xstream Project Search vendor "Xstream Project" | Xstream Search vendor "Xstream Project" for product "Xstream" | < 1.4.14 Search vendor "Xstream Project" for product "Xstream" and version " < 1.4.14" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Snapmanager Search vendor "Netapp" for product "Snapmanager" | * | sap |
Affected
| ||||||
Netapp Search vendor "Netapp" | Snapmanager Search vendor "Netapp" for product "Snapmanager" | - | oracle |
Affected
| ||||||
Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | 5.15.4 Search vendor "Apache" for product "Activemq" and version "5.15.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Cash Management Search vendor "Oracle" for product "Banking Cash Management" | 14.2 Search vendor "Oracle" for product "Banking Cash Management" and version "14.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Cash Management Search vendor "Oracle" for product "Banking Cash Management" | 14.3 Search vendor "Oracle" for product "Banking Cash Management" and version "14.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Cash Management Search vendor "Oracle" for product "Banking Cash Management" | 14.5 Search vendor "Oracle" for product "Banking Cash Management" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.2 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.3 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management" | 14.5 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.2 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.3 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management" | 14.5 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.4.0 Search vendor "Oracle" for product "Banking Platform" and version "2.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.7.1 Search vendor "Oracle" for product "Banking Platform" and version "2.7.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.9.0 Search vendor "Oracle" for product "Banking Platform" and version "2.9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance" | 14.2 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance" | 14.3 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance" | 14.5 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management" | 14.2 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management" | 14.3 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management" | 14.5 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.5" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.2.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.2.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.3.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management" | 14.5.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.5.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Business Activity Monitoring Search vendor "Oracle" for product "Business Activity Monitoring" | 11.1.1.9.0 Search vendor "Oracle" for product "Business Activity Monitoring" and version "11.1.1.9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Business Activity Monitoring Search vendor "Oracle" for product "Business Activity Monitoring" | 12.2.1.3.0 Search vendor "Oracle" for product "Business Activity Monitoring" and version "12.2.1.3.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Business Activity Monitoring Search vendor "Oracle" for product "Business Activity Monitoring" | 12.2.1.4.0 Search vendor "Oracle" for product "Business Activity Monitoring" and version "12.2.1.4.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Policy Management Search vendor "Oracle" for product "Communications Policy Management" | 12.5.0 Search vendor "Oracle" for product "Communications Policy Management" and version "12.5.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Endeca Information Discovery Studio Search vendor "Oracle" for product "Endeca Information Discovery Studio" | 3.2.0.0 Search vendor "Oracle" for product "Endeca Information Discovery Studio" and version "3.2.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 16.0.6 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service" | 19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2" | - |
Affected
|