Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-26258

CWE-918Server-Side Request Forgery (SSRF)14 documents8 sources
Severity
7.7HIGH
EPSS
93.7%
top 0.15%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
5
X-stream XstreamApache StrutsXstream Xstream+2 more
Timeline
PublishedDec 16
Latest updateAug 22

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 1.8 | Impact: 4.0

Affected Packages6 packages

Debianlibxstream-java< 1.4.15-1+3
Ubuntulibxstream-java< 1.4.11.1-1~18.04.1+1
NVDxstream/xstream< 1.4.15
CVEListV5x-stream/xstream< 1.4.15

Also affects: Debian Linux 10.0, 9.0, Fedora 33, 34, 35

🔴Vulnerability Details

7
OSV
libxstream-java vulnerabilities2024-08-22
OSV
libxstream-java vulnerabilities2021-05-11
OSV
libxstream-java vulnerabilities2021-01-28
GHSA
Server-Side Forgery Request can be activated unmarshalling with XStream2020-12-21
OSV
Server-Side Forgery Request can be activated unmarshalling with XStream2020-12-21

💥Exploits & PoCs

1
Nuclei
XStream <1.4.15 - Server-Side Request Forgery

📋Vendor Advisories

5
Ubuntu
XStream vulnerabilities2024-08-22
Ubuntu
XStream vulnerabilities2021-05-11
Ubuntu
XStream vulnerabilities2021-01-28
Red Hat
XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling2020-12-13
Debian
CVE-2020-26258: libxstream-java - XStream is a Java library to serialize objects to XML and back again. In XStream...2020