CVE-2020-26217

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Published: Nov 16, 2020
Updated: Nov 8, 2023
CVE: CVE-2020-26217
GHSA: GHSA-mw36-7c6c-q4q2
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
netapp / snapmanager	-	-
oracle / banking_platform	2.4.0	2.4.0.x
oracle / communications_policy_management	12.5.0	12.5.0.x
oracle / banking_platform	2.7.1	2.7.1.x
oracle / banking_platform	2.9.0	2.9.0.x
oracle / banking_virtual_account_management	14.3.0	14.3.0.x
oracle / business_activity_monitoring	12.2.1.3.0	12.2.1.3.0.x
oracle / business_activity_monitoring	11.1.1.9.0	11.1.1.9.0.x
oracle / business_activity_monitoring	12.2.1.4.0	12.2.1.4.0.x
oracle / retail_xstore_point_of_service	16.0.6	16.0.6.x
oracle / retail_xstore_point_of_service	17.0.4	17.0.4.x
oracle / retail_xstore_point_of_service	18.0.3	18.0.3.x
oracle / retail_xstore_point_of_service	19.0.2	19.0.2.x
oracle / banking_virtual_account_management	14.2.0	14.2.0.x
oracle / banking_virtual_account_management	14.5.0	14.5.0.x
oracle / banking_cash_management	14.2	14.2.x
oracle / banking_cash_management	14.3	14.3.x
oracle / banking_cash_management	14.5	14.5.x
oracle / endeca_information_discovery_studio	3.2.0.0	3.2.0.0.x
oracle / banking_trade_finance_process_management	14.2	14.2.x
oracle / banking_trade_finance_process_management	14.3	14.3.x
oracle / banking_trade_finance_process_management	14.5	14.5.x
oracle / banking_credit_facilities_process_management	14.2	14.2.x
oracle / banking_credit_facilities_process_management	14.3	14.3.x
oracle / banking_credit_facilities_process_management	14.5	14.5.x
oracle / banking_corporate_lending_process_management	14.2	14.2.x
oracle / banking_corporate_lending_process_management	14.3	14.3.x
oracle / banking_corporate_lending_process_management	14.5	14.5.x
oracle / banking_supply_chain_finance	14.2	14.2.x
oracle / banking_supply_chain_finance	14.3	14.3.x
oracle / banking_supply_chain_finance	14.5	14.5.x
com.thoughtworks.xstream / xstream	-	1.4.14-jdk7
xstream / xstream	-	1.4.14
apache / activemq	-	5.15.14
apache / activemq	5.16.0	5.16.0.x

Vulnerability Database

289,599

CVE-2020-26217