CVE-2020-26217: XStream can be used for Remote Code Execution
(updated )
The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream.
References
- github.com/advisories/GHSA-mw36-7c6c-q4q2
- github.com/x-stream/xstream
- github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
- github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
- lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E
- lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E
- lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E
- lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E
- lists.debian.org/debian-lts-announce/2020/12/msg00001.html
- nvd.nist.gov/vuln/detail/CVE-2020-26217
- security.netapp.com/advisory/ntap-20210409-0004
- www.debian.org/security/2020/dsa-4811
- www.oracle.com//security-alerts/cpujul2021.html
- www.oracle.com/security-alerts/cpuApr2021.html
- www.oracle.com/security-alerts/cpuapr2022.html
- www.oracle.com/security-alerts/cpujan2022.html
- www.oracle.com/security-alerts/cpuoct2021.html
- x-stream.github.io/CVE-2020-26217.html
Code Behaviors & Features
Detect and mitigate CVE-2020-26217 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →