xstreamproject xstream CVE-2020-26259 vulnerability in Xstreamproject and Other Products
Published on December 16, 2020

XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling

product logo product logo product logo product logo product logo
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

Github Repository Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2020-26259 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
NONE
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

What is a Shell injection Vulnerability?

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE-2020-26259 has been classified to as a Shell injection vulnerability or weakness.


Products Associated with CVE-2020-26259

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-26259 are published in these products:

Xstreamproject Xstream
 
Debian Linux
 
Canonical Ubuntu Linux
 
Fedora Project Fedora
 
Apache Struts
 
Xstream
 

Affected Versions

x-stream xstream Version < 1.4.15 is affected by CVE-2020-26259

Vulnerable Packages

The following package name and versions may be associated with CVE-2020-26259

Package Manager Vulnerable Package Versions Fixed In
maven com.thoughtworks.xstream:xstream < 1.4.15 1.4.15

Exploit Probability

EPSS
88.87%
Percentile
99.51%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.