CVE-2020-26217

Remote Code Execution in XStream

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

XStream anterior a versión 1.4.14, es vulnerable a una ejecución de código remota. La vulnerabilidad puede permitir a un atacante remoto ejecutar comandos de shell arbitrarios solo manipulando el flujo de entrada procesado. Solo los usuarios que dependen de las listas de bloqueo están afectados. Cualquiera que utilice la lista de permitidos del Security Framework de XStream no estará afectado. El aviso vinculado proporciona soluciones de código para usuarios que no pueden actualizar. El problema se corrigió en la versión 1.4.14

A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-10-01 CVE Reserved
2020-11-16 CVE Published
2020-12-08 First Exploit
2024-08-04 CVE Updated
2024-10-07 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-502: Deserialization of Untrusted Data

CAPEC

References (19)

URL	Tag	Source
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2	Mitigation
https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html	Mailing List
https://security.netapp.com/advisory/ntap-20210409-0004	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Not Applicable
https://www.oracle.com/security-alerts/cpujan2022.html	Not Applicable

URL	Date	SRC
https://github.com/Al1ex/CVE-2020-26217	2021-01-22
https://github.com/novysodope/CVE-2020-26217-XStream-RCE-POC	2020-12-08
https://x-stream.github.io/CVE-2020-26217.html	2024-08-04

URL	Date	SRC
https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a	2023-11-07
https://www.oracle.com//security-alerts/cpujul2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuApr2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
https://www.debian.org/security/2020/dsa-4811	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-26217	2021-12-14
https://bugzilla.redhat.com/show_bug.cgi?id=1898907	2021-12-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xstream Project Search vendor "Xstream Project"		Xstream Search vendor "Xstream Project" for product "Xstream"				< 1.4.14 Search vendor "Xstream Project" for product "Xstream" and version " < 1.4.14"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Netapp Search vendor "Netapp"		Snapmanager Search vendor "Netapp" for product "Snapmanager"				*		sap		Affected
Netapp Search vendor "Netapp"		Snapmanager Search vendor "Netapp" for product "Snapmanager"				-		oracle		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.15.4 Search vendor "Apache" for product "Activemq" and version "5.15.4"		-		Affected
Oracle Search vendor "Oracle"		Banking Cash Management Search vendor "Oracle" for product "Banking Cash Management"				14.2 Search vendor "Oracle" for product "Banking Cash Management" and version "14.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Cash Management Search vendor "Oracle" for product "Banking Cash Management"				14.3 Search vendor "Oracle" for product "Banking Cash Management" and version "14.3"		-		Affected
Oracle Search vendor "Oracle"		Banking Cash Management Search vendor "Oracle" for product "Banking Cash Management"				14.5 Search vendor "Oracle" for product "Banking Cash Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.2 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.3 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.3"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.5 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.2 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.3 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.3"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.5 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.4.0 Search vendor "Oracle" for product "Banking Platform" and version "2.4.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.7.1 Search vendor "Oracle" for product "Banking Platform" and version "2.7.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.9.0 Search vendor "Oracle" for product "Banking Platform" and version "2.9.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance"				14.2 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance"				14.3 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.3"		-		Affected
Oracle Search vendor "Oracle"		Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance"				14.5 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management"				14.2 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management"				14.3 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.3"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management"				14.5 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.2.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.2.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.3.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.5.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Business Activity Monitoring Search vendor "Oracle" for product "Business Activity Monitoring"				11.1.1.9.0 Search vendor "Oracle" for product "Business Activity Monitoring" and version "11.1.1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Business Activity Monitoring Search vendor "Oracle" for product "Business Activity Monitoring"				12.2.1.3.0 Search vendor "Oracle" for product "Business Activity Monitoring" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Business Activity Monitoring Search vendor "Oracle" for product "Business Activity Monitoring"				12.2.1.4.0 Search vendor "Oracle" for product "Business Activity Monitoring" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Policy Management Search vendor "Oracle" for product "Communications Policy Management"				12.5.0 Search vendor "Oracle" for product "Communications Policy Management" and version "12.5.0"		-		Affected
Oracle Search vendor "Oracle"		Endeca Information Discovery Studio Search vendor "Oracle" for product "Endeca Information Discovery Studio"				3.2.0.0 Search vendor "Oracle" for product "Endeca Information Discovery Studio" and version "3.2.0.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				16.0.6 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2"		-		Affected