{"containers": {"cna": {"affected": [{"product": "xstream", "vendor": "x-stream", "versions": [{"status": "affected", "version": "< 1.4.14"}]}], "descriptions": [{"lang": "en", "value": "XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T23:22:18", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://x-stream.github.io/CVE-2020-26217.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"}, {"name": "[debian-lts-announce] 20201201 [SECURITY] [DLA 2471-1] libxstream-java security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html"}, {"name": "DSA-4811", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4811"}, {"name": "[activemq-issues] 20201230 [jira] [Created] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20201230 [jira] [Updated] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20210104 [jira] [Resolved] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210409-0004/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "[camel-commits] 20211006 [camel] branch main updated: Camel-XStream: Added a test about CVE-2020-26217", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "source": {"advisory": "GHSA-mw36-7c6c-q4q2", "discovery": "UNKNOWN"}, "title": "Remote Code Execution in XStream", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26217", "STATE": "PUBLIC", "TITLE": "Remote Code Execution in XStream"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "xstream", "version": {"version_data": [{"version_value": "< 1.4.14"}]}}]}, "vendor_name": "x-stream"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2", "refsource": "CONFIRM", "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2"}, {"name": "https://x-stream.github.io/CVE-2020-26217.html", "refsource": "CONFIRM", "url": "https://x-stream.github.io/CVE-2020-26217.html"}, {"name": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a", "refsource": "CONFIRM", "url": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"}, {"name": "[debian-lts-announce] 20201201 [SECURITY] [DLA 2471-1] libxstream-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html"}, {"name": "DSA-4811", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4811"}, {"name": "[activemq-issues] 20201230 [jira] [Created] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20201230 [jira] [Updated] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20210104 [jira] [Resolved] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"name": "https://security.netapp.com/advisory/ntap-20210409-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210409-0004/"}, {"name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "[camel-commits] 20211006 [camel] branch main updated: Camel-XStream: Added a test about CVE-2020-26217", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}, "source": {"advisory": "GHSA-mw36-7c6c-q4q2", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:49:07.258Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://x-stream.github.io/CVE-2020-26217.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"}, {"name": "[debian-lts-announce] 20201201 [SECURITY] [DLA 2471-1] libxstream-java security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html"}, {"name": "DSA-4811", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2020/dsa-4811"}, {"name": "[activemq-issues] 20201230 [jira] [Created] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20201230 [jira] [Updated] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E"}, {"name": "[activemq-issues] 20210104 [jira] [Resolved] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210409-0004/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "[camel-commits] 20211006 [camel] branch main updated: Camel-XStream: Added a test about CVE-2020-26217", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26217", "datePublished": "2020-11-16T21:00:18", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:49:07.258Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*", "matchCriteriaId": "6CBAEE8A-07B9-4367-A98E-E03F33732D7E", "versionEndExcluding": "1.4.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:snapmanager:*:*:*:*:*:sap:*:*", "matchCriteriaId": "D8668AF8-DA10-45F2-AB8C-432640D52C04", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:snapmanager:-:-:*:*:*:oracle:*:*", "matchCriteriaId": "25BBBC1A-228F-45A6-AE95-DB915EDF84BD", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:activemq:5.15.4:*:*:*:*:*:*:*", "matchCriteriaId": "5D873E55-2FE5-43B0-A994-0940F4A5008F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:*", "matchCriteriaId": "3DBD5E57-CC8B-4180-ACBD-BD067D0801D2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:*", "matchCriteriaId": "071E67EC-DC5A-4BD1-AC8F-6266E6436FF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*", "matchCriteriaId": "626C6209-8BC3-4954-BF0C-51500582457E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2:*:*:*:*:*:*:*", "matchCriteriaId": "55543515-BE87-4D88-8F9B-130FCE792642", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3:*:*:*:*:*:*:*", "matchCriteriaId": "0D32FE52-C11F-40F0-943A-4FD1241AA599", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*", "matchCriteriaId": "6EE231C5-8BF0-48F4-81EF-7186814664CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2:*:*:*:*:*:*:*", "matchCriteriaId": "F9284BB0-343D-46DE-B45D-68081BC20225", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3:*:*:*:*:*:*:*", "matchCriteriaId": "821A1FAA-6475-4892-97A5-10D434BC2C9F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*", "matchCriteriaId": "2AA5FF83-B693-4DAB-B585-0FD641266231", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2BEE49E-A5AA-42D3-B422-460454505480", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "645AA3D1-C8B5-4CD2-8ACE-31541FA267F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "AB9FC9AB-1070-420F-870E-A5EC43A924A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.2:*:*:*:*:*:*:*", "matchCriteriaId": "1D99F81D-61BB-4904-BE31-3367D4A98FD1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.3:*:*:*:*:*:*:*", "matchCriteriaId": "93866792-1AAE-40AE-84D0-21250A296BE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*", "matchCriteriaId": "45AB3A29-0994-46F4-8093-B4A9CE0BD95F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2:*:*:*:*:*:*:*", "matchCriteriaId": "2CA1E217-7551-4718-A813-7F55927C7829", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3:*:*:*:*:*:*:*", "matchCriteriaId": "DE39702F-0176-4C0E-96BA-A344319776B2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*", "matchCriteriaId": "AA4A9041-B9BC-451C-B1BD-4E2FD795BF27", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "D1534C11-E3F5-49F3-8F8D-7C5C90951E69", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D952E04D-DE2D-4AE0-BFE6-7D9B7E55AC80", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "1111BCFD-E336-4B31-A87E-76C684AC6DE4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "CC723E79-8F35-417B-B9D9-6A707F74C1EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "5700C2E9-5FF2-48EF-AD85-3C03EDA76536", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "BA8461A2-428C-4817-92A9-0C671545698D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "5312AC7A-3C16-4967-ACA6-317289A749D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "0D7C6438-6E88-41CD-BE34-90341030E41F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "490B2C44-CECD-4551-B04F-4076D0E053C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "DEC41EB8-73B4-4BDF-9321-F34EC0BAF9E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "48EFC111-B01B-4C34-87E4-D6B2C40C0122", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "073FEA23-E46A-4C73-9D29-95CFF4F5A59D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14."}, {"lang": "es", "value": "XStream anterior a versi\u00f3n 1.4.14, es vulnerable a una ejecuci\u00f3n de c\u00f3digo remota. La vulnerabilidad puede permitir a un atacante remoto ejecutar comandos de shell arbitrarios solo manipulando el flujo de entrada procesado.&#xa0;Solo los usuarios que dependen de las listas de bloqueo est\u00e1n afectados.&#xa0;Cualquiera que utilice la lista de permitidos del Security Framework de XStream no estar\u00e1 afectado.&#xa0;El aviso vinculado proporciona soluciones de c\u00f3digo para usuarios que no pueden actualizar.&#xa0;El problema se corrigi\u00f3 en la versi\u00f3n 1.4.14"}], "id": "CVE-2020-26217", "lastModified": "2023-11-07T03:20:31.293", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-11-16T21:15:12.893", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2"}, {"source": "security-advisories@github.com", "url": "https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E"}, {"source": "security-advisories@github.com", "url": "https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E"}, {"source": "security-advisories@github.com", "url": "https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E"}, {"source": "security-advisories@github.com", "url": "https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210409-0004/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4811"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://x-stream.github.io/CVE-2020-26217.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0433", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "impact": "low", "package": "xstream", "product_name": "Red Hat Data Grid 8.1.1", "release_date": "2021-02-08T00:00:00Z"}, {"advisory": "RHSA-2021:0162", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "xstream-0:1.3.1-12.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2021-01-18T00:00:00Z"}, {"advisory": "RHSA-2021:5134", "cpe": "cpe:/a:redhat:jboss_fuse:7", "impact": "moderate", "package": "xstream", "product_name": "Red Hat Fuse 7.10", "release_date": "2021-12-14T00:00:00Z"}, {"advisory": "RHSA-2021:0384", "cpe": "cpe:/a:redhat:jboss_amq:6.3", "package": "xstream", "product_name": "Red Hat Fuse/AMQ 6.3.18", "release_date": "2021-02-02T00:00:00Z"}, {"advisory": "RHSA-2021:0384", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "impact": "moderate", "package": "xstream", "product_name": "Red Hat Fuse/AMQ 6.3.18", "release_date": "2021-02-02T00:00:00Z"}, {"advisory": "RHSA-2021:3205", "cpe": "cpe:/a:redhat:integration:1", "product_name": "Red Hat Integration", "release_date": "2021-08-18T00:00:00Z"}, {"advisory": "RHSA-2021:4767", "cpe": "cpe:/a:redhat:camel_quarkus:2.2", "impact": "moderate", "package": "xstream", "product_name": "Red Hat Integration Camel Quarkus", "release_date": "2021-11-23T00:00:00Z"}, {"advisory": "RHSA-2021:0106", "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7.9", "package": "xstream", "product_name": "RHDM 7.9.1", "release_date": "2021-01-13T00:00:00Z"}, {"advisory": "RHSA-2021:0105", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.9", "package": "xstream", "product_name": "RHPAM 7.9.1", "release_date": "2021-01-13T00:00:00Z"}], "bugzilla": {"description": "XStream: remote code execution due to insecure XML deserialization when relying on blocklists", "id": "1898907", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1898907"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.", "A flaw was found in xstream. An unsafe deserialization of user-supplied XML, in conjunction with relying on the default deny list, allows a remote attacker to perform a variety of attacks including a remote code execution of arbitrary code in the context of the JVM running the XStream application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability."], "mitigation": {"lang": "en:us", "value": "Depending on the version of XStream used there are various usage patterns that mitigate this flaw, though we would strongly recommend using the allow list approach if at all possible as there are likely more class combinations the deny list approach may not address.\nAllow list approach\n```java\nXStream xstream = new XStream();\nXStream.setupDefaultSecurity(xstream);\nxstream.allowTypesByWildcard(new String[] {\"com.misc.classname\"})\n```\nDeny list for XStream 1.4.13\n```java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\n```\nDeny list for XStream 1.4.7 -> 1.4.12\n```java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\n```\nDeny list for versions prior to XStream 1.4.7\n```java\nxstream.registerConverter(new Converter() {\npublic boolean canConvert(Class type) {\nreturn type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || Proxy.isProxy(type));\n}\npublic Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\nthrow new ConversionException(\"Unsupported type due to security reasons.\");\n}\npublic void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\nthrow new ConversionException(\"Unsupported type due to security reasons.\");\n}\n}, XStream.PRIORITY_LOW);\n```"}, "name": "CVE-2020-26217", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Out of support scope", "package_name": "xstream", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Affected", "impact": "moderate", "package_name": "xstream", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "impact": "moderate", "package_name": "xstream", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Out of support scope", "package_name": "xstream", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "impact": "low", "package_name": "xstream", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "xstream", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2020-11-16T19:40:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-26217\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-26217"], "statement": "OpenShift Container Platform (OCP) delivers jenkins package with bundled XStream library. Due to JEP-200 Jenkins project [1] and advisory SECURITY-383 [2], OCP jenkins package is not affected by this flaw.\n[1] https://github.com/jenkinsci/jep/blob/master/jep/200/README.adoc\n[2] https://www.jenkins.io/security/advisory/2017-02-01/ (see SECURITY-383 / CVE-2017-2608)", "threat_severity": "Important", "upstream_fix": "xstream 1.4.14"}