Vulnerability Details : CVE-2020-26217
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2020-26217
Probability of exploitation activity in the next 30 days: 97.38%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-26217
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
|
8.0
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
1.3
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2020-26217
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)
References for CVE-2020-26217
-
https://security.netapp.com/advisory/ntap-20210409-0004/
CVE-2020-26217 XStream Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html
[SECURITY] [DLA 2471-1] libxstream-java security updateMailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Not Applicable;Third Party Advisory
-
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
XStream can be used for Remote Code Execution · Advisory · x-stream/xstream · GitHubMitigation;Third Party Advisory
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E
[camel] branch main updated: Camel-XStream: Added a test about CVE-2020-26217 - Pony MailMailing List;Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2022.html
Oracle Critical Patch Update Advisory - January 2022Not Applicable;Third Party Advisory
-
https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E
[jira] [Updated] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217 - Pony MailMailing List;Third Party Advisory
-
https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
Fix for CVE-2017-9805. · x-stream/xstream@0fec095 · GitHubPatch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021Patch;Third Party Advisory
-
https://x-stream.github.io/CVE-2020-26217.html
XStream - CVE-2020-26217Exploit;Mitigation;Vendor Advisory
-
https://www.debian.org/security/2020/dsa-4811
Debian -- Security Information -- DSA-4811-1 libxstream-javaThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E
[jira] [Resolved] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E
[jira] [Created] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217 - Pony MailMailing List;Third Party Advisory
Products affected by CVE-2020-26217
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.15.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_supply_chain_finance:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_supply_chain_finance:14.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snapmanager:*:*:*:*:*:sap:*:*
- cpe:2.3:a:netapp:snapmanager:-:-:*:*:*:oracle:*:*
- cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*