CVE - CVE-2020-26258

CVE-ID
CVE-2020-26258	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://security.netapp.com/advisory/ntap-20210409-0005/ CONFIRM:https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28 URL:https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28 DEBIAN:DSA-4828 URL:https://www.debian.org/security/2021/dsa-4828 FEDORA:FEDORA-2021-5e376c0ed9 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/ FEDORA:FEDORA-2021-d894ca87dc URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/ FEDORA:FEDORA-2021-fbad11014a URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/ MISC:https://x-stream.github.io/CVE-2020-26258.html URL:https://x-stream.github.io/CVE-2020-26258.html MLIST:[debian-lts-announce] 20201231 [SECURITY] [DLA 2507-1] libxstream-java security update URL:https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html MLIST:[struts-commits] 20201221 [struts] branch master updated: Upgrades XStream to version 1.4.15 to address CVE-2020-26258, CVE-2020-26259 URL:https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20201001	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20201001)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)