6.4
CVSSv2

CVE-2020-26259

Published: 16/12/2020 Updated: 24/02/2021
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
CVSS v3 Base Score: 6.8 | Impact Score: 4 | Exploitability Score: 2.2
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P

Vulnerability Summary

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote malicious user to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

xstream project xstream

debian debian linux 9.0

debian debian linux 10.0

Vendor Advisories

Debian Bug report logs - #977624 libxstream-java: CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling Package: src:libxstream-java; Maintainer for src:libxstream-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccor ...
Liaogui Zhong discovered two security issues in XStream, a Java library to serialise objects to XML and back again, which could result in the deletion of files or server-side request forgery when unmarshalling For the stable distribution (buster), these problems have been fixed in version 14111-1+deb10u2 We recommend that you upgrade your libx ...

Github Repositories

CVE-2020-26259 &&XStream Arbitrary File Delete

Description XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights Influence Xstream <= 1414 How to use Step 1:Prepare a test file which will to be deleted in the future Step 2: POC import comthoughtworksxstreamXStream; public class CVE_2020_26259 { public static void

CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.

CVE-2020-26259 CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights XStream 1414 pomxml <!-- mvnrepositorycom/artifact/comthoughtworksxstream/xstream --> <dependencies> <dependency> &

CVE-2020-26217 && XStream RCE

Description XStream can be used for Remote Code Execution Influence Xstream <= 1413 Environment pomxml <!-- mvnrepositorycom/artifact/comthoughtworksxstream/xstream --> <dependencies> <dependency> <groupId>comthoughtworksxstream</groupId> <

XStream相关漏洞POC及分析复现环境

XStream相关漏洞 XStream今年出的漏洞有 XStream远程代码执行漏洞(CVE-2020-26217)、XStream服务端请求伪造漏洞(CVE-2020-26258)、XStream任意文件删除漏洞(CVE-2020-26259),这里对这些漏洞POC及分析复现环境进行整理。 POC为均以CVE编号命令的xml文件,在Demojava中引用即可触发。 CVE-2020-26217 XStream 14

此项目将不定期从棱角社区对外进行公布一些最新漏洞。

Vulnerability 纪念我们始终热爱的 来人皆是朋友 去人也不留 © Edge Security Team Anchor CMS 0127 跨站请求伪造(CVE-2020-23342) Apache Kylin API未授权访问漏洞(CVE-2020-13937) Apache NiFi Api 远程代码执行(RCE) Bypass for Microsoft Exchange远程代码执行 CVE-2020-16875 CISCO ASA任意文件读取漏洞 (CVE-2020-3452) CNVD-20

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ASL (1) ASPNET (1) ActionScript (1) Arduino (2) Assembly (7) AutoHotkey (2) Batchfile (16) BitBake (5) Boo (1) C (286) C# (212) C++ (225) CMake (2) CSS (66) Classic ASP (2) Clojure (1) CoffeeScript (1) ColdFusion (1) Dart (1) Dockerfile (37) Emacs Lisp (1) Erlang (1) F# (2) Go (531) HCL (4)

PoC in GitHub 2020 CVE-2020-0014 (2020-02-13) It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android