// For flags

CVE-2020-26217

Remote Code Execution in XStream

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

XStream anterior a versión 1.4.14, es vulnerable a una ejecución de código remota. La vulnerabilidad puede permitir a un atacante remoto ejecutar comandos de shell arbitrarios solo manipulando el flujo de entrada procesado. Solo los usuarios que dependen de las listas de bloqueo están afectados. Cualquiera que utilice la lista de permitidos del Security Framework de XStream no estará afectado. El aviso vinculado proporciona soluciones de código para usuarios que no pueden actualizar. El problema se corrigió en la versión 1.4.14

A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-10-01 CVE Reserved
  • 2020-11-16 CVE Published
  • 2020-12-08 First Exploit
  • 2024-08-04 CVE Updated
  • 2024-10-07 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-502: Deserialization of Untrusted Data
CAPEC
References (19)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Xstream Project
Search vendor "Xstream Project"
Xstream
Search vendor "Xstream Project" for product "Xstream"
< 1.4.14
Search vendor "Xstream Project" for product "Xstream" and version " < 1.4.14"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Netapp
Search vendor "Netapp"
Snapmanager
Search vendor "Netapp" for product "Snapmanager"
*sap
Affected
Netapp
Search vendor "Netapp"
Snapmanager
Search vendor "Netapp" for product "Snapmanager"
-oracle
Affected
Apache
Search vendor "Apache"
Activemq
Search vendor "Apache" for product "Activemq"
5.15.4
Search vendor "Apache" for product "Activemq" and version "5.15.4"
-
Affected
Oracle
Search vendor "Oracle"
Banking Cash Management
Search vendor "Oracle" for product "Banking Cash Management"
14.2
Search vendor "Oracle" for product "Banking Cash Management" and version "14.2"
-
Affected
Oracle
Search vendor "Oracle"
Banking Cash Management
Search vendor "Oracle" for product "Banking Cash Management"
14.3
Search vendor "Oracle" for product "Banking Cash Management" and version "14.3"
-
Affected
Oracle
Search vendor "Oracle"
Banking Cash Management
Search vendor "Oracle" for product "Banking Cash Management"
14.5
Search vendor "Oracle" for product "Banking Cash Management" and version "14.5"
-
Affected
Oracle
Search vendor "Oracle"
Banking Corporate Lending Process Management
Search vendor "Oracle" for product "Banking Corporate Lending Process Management"
14.2
Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.2"
-
Affected
Oracle
Search vendor "Oracle"
Banking Corporate Lending Process Management
Search vendor "Oracle" for product "Banking Corporate Lending Process Management"
14.3
Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.3"
-
Affected
Oracle
Search vendor "Oracle"
Banking Corporate Lending Process Management
Search vendor "Oracle" for product "Banking Corporate Lending Process Management"
14.5
Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.5"
-
Affected
Oracle
Search vendor "Oracle"
Banking Credit Facilities Process Management
Search vendor "Oracle" for product "Banking Credit Facilities Process Management"
14.2
Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.2"
-
Affected
Oracle
Search vendor "Oracle"
Banking Credit Facilities Process Management
Search vendor "Oracle" for product "Banking Credit Facilities Process Management"
14.3
Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.3"
-
Affected
Oracle
Search vendor "Oracle"
Banking Credit Facilities Process Management
Search vendor "Oracle" for product "Banking Credit Facilities Process Management"
14.5
Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.5"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.4.0
Search vendor "Oracle" for product "Banking Platform" and version "2.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.7.1
Search vendor "Oracle" for product "Banking Platform" and version "2.7.1"
-
Affected
Oracle
Search vendor "Oracle"
Banking Platform
Search vendor "Oracle" for product "Banking Platform"
2.9.0
Search vendor "Oracle" for product "Banking Platform" and version "2.9.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Supply Chain Finance
Search vendor "Oracle" for product "Banking Supply Chain Finance"
14.2
Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.2"
-
Affected
Oracle
Search vendor "Oracle"
Banking Supply Chain Finance
Search vendor "Oracle" for product "Banking Supply Chain Finance"
14.3
Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.3"
-
Affected
Oracle
Search vendor "Oracle"
Banking Supply Chain Finance
Search vendor "Oracle" for product "Banking Supply Chain Finance"
14.5
Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.5"
-
Affected
Oracle
Search vendor "Oracle"
Banking Trade Finance Process Management
Search vendor "Oracle" for product "Banking Trade Finance Process Management"
14.2
Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.2"
-
Affected
Oracle
Search vendor "Oracle"
Banking Trade Finance Process Management
Search vendor "Oracle" for product "Banking Trade Finance Process Management"
14.3
Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.3"
-
Affected
Oracle
Search vendor "Oracle"
Banking Trade Finance Process Management
Search vendor "Oracle" for product "Banking Trade Finance Process Management"
14.5
Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.5"
-
Affected
Oracle
Search vendor "Oracle"
Banking Virtual Account Management
Search vendor "Oracle" for product "Banking Virtual Account Management"
14.2.0
Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.2.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Virtual Account Management
Search vendor "Oracle" for product "Banking Virtual Account Management"
14.3.0
Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Banking Virtual Account Management
Search vendor "Oracle" for product "Banking Virtual Account Management"
14.5.0
Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Business Activity Monitoring
Search vendor "Oracle" for product "Business Activity Monitoring"
11.1.1.9.0
Search vendor "Oracle" for product "Business Activity Monitoring" and version "11.1.1.9.0"
-
Affected
Oracle
Search vendor "Oracle"
Business Activity Monitoring
Search vendor "Oracle" for product "Business Activity Monitoring"
12.2.1.3.0
Search vendor "Oracle" for product "Business Activity Monitoring" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Business Activity Monitoring
Search vendor "Oracle" for product "Business Activity Monitoring"
12.2.1.4.0
Search vendor "Oracle" for product "Business Activity Monitoring" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Policy Management
Search vendor "Oracle" for product "Communications Policy Management"
12.5.0
Search vendor "Oracle" for product "Communications Policy Management" and version "12.5.0"
-
Affected
Oracle
Search vendor "Oracle"
Endeca Information Discovery Studio
Search vendor "Oracle" for product "Endeca Information Discovery Studio"
3.2.0.0
Search vendor "Oracle" for product "Endeca Information Discovery Studio" and version "3.2.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
16.0.6
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6"
-
Affected
Oracle
Search vendor "Oracle"
Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
17.0.4
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4"
-
Affected
Oracle
Search vendor "Oracle"
Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
18.0.3
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Retail Xstore Point Of Service
Search vendor "Oracle" for product "Retail Xstore Point Of Service"
19.0.2
Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2"
-
Affected