CVE-2020-26217 : XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnera

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Published 2020-11-16 21:15:13

Updated 2022-10-28 17:40:05

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2020-26217

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Apache » Activemq » Version: 5.15.4
cpe:2.3:a:apache:activemq:5.15.4:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 16.0.6
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 17.0.4
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 18.0.3
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 19.0.2
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.4.0
cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.7.1
cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Platform » Version: 2.9.0
cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Policy Management » Version: 12.5.0
cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Endeca Information Discovery Studio » Version: 3.2.0.0
cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Business Activity Monitoring » Version: 11.1.1.9.0
cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Business Activity Monitoring » Version: 12.2.1.3.0
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Business Activity Monitoring » Version: 12.2.1.4.0
cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Corporate Lending Process Management » Version: 14.2
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Corporate Lending Process Management » Version: 14.3
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Corporate Lending Process Management » Version: 14.5
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Credit Facilities Process Management » Version: 14.2
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Credit Facilities Process Management » Version: 14.3
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Credit Facilities Process Management » Version: 14.5
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Supply Chain Finance » Version: 14.2
cpe:2.3:a:oracle:banking_supply_chain_finance:14.2:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Supply Chain Finance » Version: 14.3
cpe:2.3:a:oracle:banking_supply_chain_finance:14.3:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Supply Chain Finance » Version: 14.5
cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Trade Finance Process Management » Version: 14.2
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Trade Finance Process Management » Version: 14.3
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Trade Finance Process Management » Version: 14.5
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Virtual Account Management » Version: 14.3.0
cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Virtual Account Management » Version: 14.2.0
cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Virtual Account Management » Version: 14.5.0
cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Cash Management » Version: 14.2
cpe:2.3:a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Cash Management » Version: 14.3
cpe:2.3:a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Cash Management » Version: 14.5
cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*
Matching versions
Netapp » Snapmanager » For SAP
cpe:2.3:a:netapp:snapmanager:*:*:*:*:*:sap:*:*
Matching versions
Netapp » Snapmanager » Version: N/A For Oracle
cpe:2.3:a:netapp:snapmanager:-:-:*:*:*:oracle:*:*
Matching versions
Xstream Project » Xstream
Versions before (<) 1.4.14
cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-26217

EPSS FAQ

93.17%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-26217

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.0	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H	1.3	6.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-26217

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)

References for CVE-2020-26217

https://security.netapp.com/advisory/ntap-20210409-0004/

CVE-2020-26217 XStream Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html

[SECURITY] [DLA 2471-1] libxstream-java security update
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Not Applicable;Third Party Advisory

CVEs referencing this url
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

XStream can be used for Remote Code Execution · Advisory · x-stream/xstream · GitHub
Mitigation;Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html

Oracle Critical Patch Update Advisory - July 2021
Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E

[camel] branch main updated: Camel-XStream: Added a test about CVE-2020-26217 - Pony Mail
Mailing List;Patch;Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Not Applicable;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E

[jira] [Updated] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217 - Pony Mail
Mailing List;Third Party Advisory
https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a

Fix for CVE-2017-9805. · x-stream/xstream@0fec095 · GitHub
Patch;Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Oracle Critical Patch Update Advisory - April 2021
Patch;Third Party Advisory

CVEs referencing this url
https://x-stream.github.io/CVE-2020-26217.html

XStream - CVE-2020-26217
Exploit;Mitigation;Vendor Advisory
https://www.debian.org/security/2020/dsa-4811

Debian -- Security Information -- DSA-4811-1 libxstream-java
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle Critical Patch Update Advisory - October 2021
Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E

[jira] [Resolved] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217 - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E

[jira] [Created] (AMQ-8107) Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217 - Pony Mail
Mailing List;Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-26217

Products affected by CVE-2020-26217

Exploit prediction scoring system (EPSS) score for CVE-2020-26217

CVSS scores for CVE-2020-26217

CWE ids for CVE-2020-26217

References for CVE-2020-26217