CVE-2020-26259

CWE-78OS Command Injection11 documents7 sources
Severity
6.8MEDIUM
EPSS
88.9%
top 0.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
X-stream XstreamApache StrutsXstream Xstream+2 more
Timeline
PublishedDec 16
Latest updateAug 22

Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The re

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 2.2 | Impact: 4.0

Affected Packages5 packages

Debianlibxstream-java< 1.4.15-1+3
NVDxstream/xstream< 1.4.15
CVEListV5x-stream/xstream< 1.4.15
NVDapache/struts< 6.0.0

Also affects: Debian Linux 10.0, 9.0, Fedora 33, 34, 35

🔴Vulnerability Details

5
OSV
libxstream-java vulnerabilities2021-01-28
OSV
XStream vulnerable to an Arbitrary File Deletion on the local host when unmarshalling2020-12-21
GHSA
XStream vulnerable to an Arbitrary File Deletion on the local host when unmarshalling2020-12-21
OSV
CVE-2020-26259: XStream is a Java library to serialize objects to XML and back again2020-12-16
CVEList
XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling2020-12-16

📋Vendor Advisories

5
Ubuntu
XStream vulnerabilities2024-08-22
Ubuntu
XStream vulnerabilities2021-05-11
Ubuntu
XStream vulnerabilities2021-01-28
Red Hat
XStream: arbitrary file deletion on the local host when unmarshalling2020-12-13
Debian
CVE-2020-26259: libxstream-java - XStream is a Java library to serialize objects to XML and back again. In XStream...2020