Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-26217

CWE-78OS Command InjectionCWE-502Deserialization of Untrusted Data16 documents10 sources
Severity
8.8HIGH
EPSS
93.0%
top 0.22%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
15
X-stream XstreamApache ActivemqXstream Xstream+12 more
Timeline
PublishedNov 16
Latest updateAug 22

Description

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:HExploitability: 1.3 | Impact: 6.0

Affected Packages17 packages

NVDxstream/xstream< 1.4.14
CVEListV5x-stream/xstream< 1.4.14
Mavencom.thoughtworks.xstream:xstream< 1.4.14-java7
Debianlibxstream-java< 1.4.14-1+3
Ubuntulibxstream-java< 1.4.11.1-1~18.04.2+5

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: github.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

7
OSV
libxstream-java vulnerabilities2024-08-22
OSV
libxstream-java vulnerabilities2021-05-11
OSV
libxstream-java vulnerabilities2021-01-28
OSV
XStream can be used for Remote Code Execution2020-11-16
GHSA
XStream can be used for Remote Code Execution2020-11-16

💥Exploits & PoCs

1
Nuclei
XStream <1.4.14 - Remote Code Execution

📋Vendor Advisories

7
Ubuntu
XStream vulnerabilities2024-08-22
Atlassian
CVE-2020-26217: RCE (Remote Code Execution) org.jvnet.hudson:xstream Dependency in Bamboo Data Center and Server2024-01-16
Ubuntu
XStream vulnerabilities2021-05-11
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Collections (XStream) — CVE-2020-262172021-04-15
Ubuntu
XStream vulnerabilities2021-01-28