CVE-2020-26217

Summary

CVE	CVE-2020-26217
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-11-16 21:15:00 UTC
Updated	2023-11-07 03:20:00 UTC
Description	XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Risk And Classification

Problem Types: CWE-78

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Activemq	5.15.4	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Netapp	Snapmanager	All	All	All	All
Application	Netapp	Snapmanager	-	-	All	All
Application	Oracle	Banking Cash Management	14.2	All	All	All
Application	Oracle	Banking Cash Management	14.3	All	All	All
Application	Oracle	Banking Cash Management	14.5	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.2	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.3	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.5	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.2	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.3	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.5	All	All	All
Application	Oracle	Banking Platform	2.4.0	All	All	All
Application	Oracle	Banking Platform	2.7.1	All	All	All
Application	Oracle	Banking Platform	2.9.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.2	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.3	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.5	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.2	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.3	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.5	All	All	All
Application	Oracle	Banking Virtual Account Managemen	14.2	All	All	All
Application	Oracle	Banking Virtual Account Managemen	14.3	All	All	All
Application	Oracle	Banking Virtual Account Managemen	14.5	All	All	All
Application	Oracle	Banking Virtual Account Management	14.2.0	All	All	All
Application	Oracle	Banking Virtual Account Management	14.3.0	All	All	All
Application	Oracle	Banking Virtual Account Management	14.5.0	All	All	All
Application	Oracle	Business Activity Monitoring	11.1.1.9.0	All	All	All
Application	Oracle	Business Activity Monitoring	12.2.1.3.0	All	All	All
Application	Oracle	Business Activity Monitoring	12.2.1.4.0	All	All	All
Application	Oracle	Communications Policy Management	12.5.0	All	All	All
Application	Oracle	Endeca Information Discovery Studio	3.2.0.0	All	All	All
Application	Oracle	Retail Xstore Point Of Service	16.0.6	All	All	All
Application	Oracle	Retail Xstore Point Of Service	17.0.4	All	All	All
Application	Oracle	Retail Xstore Point Of Service	18.0.3	All	All	All
Application	Oracle	Retail Xstore Point Of Service	19.0.2	All	All	All
Application	Xstream Project	Xstream	All	All	All	All
Application	Xstream Project	Xstream	All	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
XStream can be used for Remote Code Execution · Advisory · x-stream/xstream · GitHub	CONFIRM	github.com	Mitigation, Third Party Advisory
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
[SECURITY] [DLA 2471-1] libxstream-java security update	MLIST	lists.debian.org	Third Party Advisory
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
CVE-2020-26217 XStream Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Fix for CVE-2017-9805. · x-stream/xstream@0fec095 · GitHub	CONFIRM	github.com	Patch, Third Party Advisory
Debian -- Security Information -- DSA-4811-1 libxstream-java	DEBIAN	www.debian.org
Pony Mail!	MLIST	lists.apache.org
[camel-commits] 20211006 [camel] branch main updated: Camel-XStream: Added a test about CVE-2020-26217		lists.apache.org
Pony Mail!		lists.apache.org
Oracle Critical Patch Update Advisory - April 2021	MISC	www.oracle.com
XStream - CVE-2020-26217	CONFIRM	x-stream.github.io	Exploit, Mitigation, Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

174824 SUSE Enterprise Linux Security update for SUSE Manager Server 4.1 (SUSE-SU-2021:0906-1)
198361 Ubuntu Security Notification for XStream vulnerabilities (USN-4943-1)
375337 IBM Spectrum Control Multiple Vulnerability(6415993)
375827 XStream Arbitrary Code Execution And Multiple vulnerabilities
730155 McAfee Web Gateway Multiple Vulnerabilities(WP-3580, WP-3656, WP-3815, WP-3878, WP-3882, WP-3934,WP-3935, WP-3936, WP-3999)
750401 OpenSUSE Security Update for xstream (openSUSE-SU-2021:0140-1)
980327 Java (maven) Security Update for com.thoughtworks.xstream:xstream (GHSA-mw36-7c6c-q4q2)