Home > Vulnerability Database > CVE-2020-26217

Mend.io Vulnerability Database

CVE-2020-26217

Good to know:

Date: November 16, 2020

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Language: Java

Severity Score

8.0

Related Resources (24)

Url: https://x-stream.github.io/CVE-2020-26217.html

Url: https://www.oracle.com/security-alerts/cpuApr2021.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-26217

Url: https://access.redhat.com/security/cve/CVE-2020-26217

Url: https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a

Url: https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

Url: https://github.com/x-stream/xstream

Url: https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E

Url: https://security.netapp.com/advisory/ntap-20210409-0004

Url: https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E

Url: https://www.oracle.com/security-alerts/cpujan2022.html

Url: https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E

Url: https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E

Url: https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html

Url: https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E

Url: https://www.debian.org/security/2020/dsa-4811

Url: https://www.oracle.com/security-alerts/cpuapr2022.html

Url: https://www.oracle.com//security-alerts/cpujul2021.html

Url: https://security.netapp.com/advisory/ntap-20210409-0004/

Url: https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E

Url: https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E

Url: https://www.oracle.com/security-alerts/cpuoct2021.html

Url: https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E

Url: https://www.mend.io/vulnerability-database/CVE-2020-26217

Severity Score

8.0

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Top Fix

Upgrade Version

Upgrade to version com.thoughtworks.xstream:xstream:1.4.14

Learn More

CVSS v3.1

Base Score:	8.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	9.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	COMPLETE
Integrity (I):	COMPLETE
Availability (A):	COMPLETE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-26217

Good to know:

Date: November 16, 2020

Language: Java

Severity Score

Related Resources (24)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?