Home

CVE-2020-26217

Description

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStreams Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Risk Information

Base Score
8.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
93.566

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2020-26217 are fixed in Thoughtworks-Xstream 1.4.14Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 5.2.6.5Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.3Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.0.1Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.0.5.3Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.1.0.0Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.8Windows
libxstream-java security update(DSA-4811-1) libxstream-java_1.4.11.1-1+deb10u1_all.debLinux
(RHSA-2021:0162) xstream security update xstream-1.3.1-12.el7_9.noarch.rpmLinux
(RHSA-2021:0162) xstream security update xstream-javadoc-1.3.1-12.el7_9.noarch.rpmLinux
Java library to serialize objects to XML and back again (USN-4714-1) libxstream-java_1.4.11.1-1~18.04.1_all.debLinux
Java library to serialize objects to XML and back again (USN-4714-1) libxstream-java_1.4.11.1-1ubuntu0.1_all.debLinux
Xstream update (ELSA-2021-0162) xstream-1.3.1-12.el7_9.noarch.rpmLinux
Xstream-javadoc update (ELSA-2021-0162) xstream-javadoc-1.3.1-12.el7_9.noarch.rpmLinux
Java library to serialize objects to XML and back again (USN-4943-1) libxstream-java_1.4.15-1ubuntu0.1_all.debLinux
Java library to serialize objects to XML and back again (USN-4943-1) libxstream-java_1.4.11.1-1~18.04.2_all.debLinux
Java library to serialize objects to XML and back again (USN-4943-1) libxstream-java_1.4.11.1-1ubuntu0.2_all.debLinux
Java library to serialize objects to XML and back again (USN-4943-1) libxstream-java_1.4.11.1-2ubuntu0.1_all.debLinux
(CESA-2021:0162) xstream security update xstream-1.3.1-12.el7_9.noarch.rpmLinux
(CESA-2021:0162) xstream security update xstream-javadoc-1.3.1-12.el7_9.noarch.rpmLinux
Vulnerabilities CVE-2020-26217 are fixed in Thoughtworks-Xstream for Linux 1.4.14Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234