CVE - CVE-2020-26217

CVE-ID
CVE-2020-26217	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a URL:https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a CONFIRM:https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2 URL:https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2 CONFIRM:https://security.netapp.com/advisory/ntap-20210409-0004/ URL:https://security.netapp.com/advisory/ntap-20210409-0004/ CONFIRM:https://x-stream.github.io/CVE-2020-26217.html URL:https://x-stream.github.io/CVE-2020-26217.html DEBIAN:DSA-4811 URL:https://www.debian.org/security/2020/dsa-4811 MISC:https://www.oracle.com//security-alerts/cpujul2021.html URL:https://www.oracle.com//security-alerts/cpujul2021.html MISC:https://www.oracle.com/security-alerts/cpuApr2021.html URL:https://www.oracle.com/security-alerts/cpuApr2021.html MISC:https://www.oracle.com/security-alerts/cpuapr2022.html URL:https://www.oracle.com/security-alerts/cpuapr2022.html MISC:https://www.oracle.com/security-alerts/cpujan2022.html URL:https://www.oracle.com/security-alerts/cpujan2022.html MISC:https://www.oracle.com/security-alerts/cpuoct2021.html URL:https://www.oracle.com/security-alerts/cpuoct2021.html MLIST:[activemq-issues] 20201230 [jira] [Created] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217 URL:https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E MLIST:[activemq-issues] 20201230 [jira] [Updated] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217 URL:https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E MLIST:[activemq-issues] 20210104 [jira] [Resolved] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217 URL:https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E MLIST:[camel-commits] 20211006 [camel] branch main updated: Camel-XStream: Added a test about CVE-2020-26217 URL:https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E MLIST:[debian-lts-announce] 20201201 [SECURITY] [DLA 2471-1] libxstream-java security update URL:https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20201001	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20201001)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)