CVE-2020-26258: Server-Side Forgery Request can be activated unmarshalling with XStream
(updated )
The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.
References
- github.com/advisories/GHSA-4cch-wxpw-8p28
- github.com/x-stream/xstream
- github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
- lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E
- lists.debian.org/debian-lts-announce/2020/12/msg00042.html
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
- nvd.nist.gov/vuln/detail/CVE-2020-26258
- security.netapp.com/advisory/ntap-20210409-0005
- www.debian.org/security/2021/dsa-4828
- x-stream.github.io/CVE-2020-26258.html
Detect and mitigate CVE-2020-26258 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →