CVE-2020-26217: XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by…

high8.8CVSS 3.1

AVNACLPRLUINSUCHIHAH

EXPLOIT

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Affected

38 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	activemq	< 5.15.14	5.15.14
apache	activemq	—	—
atlassian	bamboo_data_center	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	libxstream-java	< libxstream-java 1.4.14-1 (bookworm)	libxstream-java 1.4.14-1 (bookworm)
oracle	banking_cash_management	—	—
oracle	banking_cash_management	—	—
oracle	banking_cash_management	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_corporate_lending_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_credit_facilities_process_management	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_platform	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_supply_chain_finance	—	—
oracle	banking_trade_finance_process_management	—	—
oracle	banking_trade_finance_process_management	—	—
oracle	banking_trade_finance_process_management	—	—
oracle	banking_virtual_account_management	—	—

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ghsa9.8CRITICAL

osv9.8CRITICAL