Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv3

CVE-2020-26259

Published: 16/12/2020 Updated: 07/11/2023
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
CVSS v3 Base Score: 6.8 | Impact Score: 4 | Exploitability Score: 2.2
VMScore: 571
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P
Subscribe to Xstream Project

Vulnerability Summary

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote malicious user to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

xstream project xstream

debian debian linux 9.0

debian debian linux 10.0

fedoraproject fedora 33

fedoraproject fedora 34

fedoraproject fedora 35

Vendor Advisories

Debian CVElist Bug Report Logs: libxstream-java: CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling
Debian Bug report logs - #977624 libxstream-java: CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling Package: src:libxstream-java; Maintainer for src:libxstream-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccor ...
Debian Security Advisories: DSA-4828-1 libxstream-java -- security update
Liaogui Zhong discovered two security issues in XStream, a Java library to serialise objects to XML and back again, which could result in the deletion of files or server-side request forgery when unmarshalling For the stable distribution (buster), these problems have been fixed in version 14111-1+deb10u2 We recommend that you upgrade your libx ...

Github Repositories

https://github.com/Al1ex/CVE-2020-26259

CVE-2020-26259 &&XStream Arbitrary File Delete

Description XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights Influence Xstream <= 1414 How to use Step 1:Prepare a test file which will to be deleted in the future Step 2: POC import comthoughtworksxstreamXStream; public class CVE_2020_26259 { public static void

https://github.com/Al1ex/CVE-2020-26217

CVE-2020-26217 && XStream RCE

Description XStream can be used for Remote Code Execution Influence Xstream <= 1413 Environment pomxml <!-- mvnrepositorycom/artifact/comthoughtworksxstream/xstream --> <dependencies> <dependency> <groupId>comthoughtworksxstream</groupId> <

https://github.com/Veraxy01/XStream-vul-poc

XStream相关漏洞POC及分析复现环境

XStream相关漏洞 XStream今年出的漏洞有 XStream远程代码执行漏洞(CVE-2020-26217)、XStream服务端请求伪造漏洞(CVE-2020-26258)、XStream任意文件删除漏洞(CVE-2020-26259),这里对这些漏洞POC及分析复现环境进行整理。 POC为均以CVE编号命令的xml文件,在Demojava中引用即可触发。 CVE-2020-26217 XStream 14

https://github.com/jas502n/CVE-2020-26259

CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.

CVE-2020-26259 CVE-2020-26259: XStream(1414) is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights x-streamgithubio/CVE-2020-26259html XStream 1414 pomxml <!-- mvnrepositorycom/artifact/comthoughtworksxstream/xstream --> <dependencies&g

References

CWE-78https://x-stream.github.io/CVE-2020-26259.htmlhttps://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fhhttps://lists.debian.org/debian-lts-announce/2020/12/msg00042.htmlhttps://www.debian.org/security/2021/dsa-4828https://security.netapp.com/advisory/ntap-20210409-0005/https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977624https://nvd.nist.govhttps://github.com/Al1ex/CVE-2020-26259https://www.debian.org/security/2021/dsa-4828
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3400CVE-2023-7252CVE-2024-21111denial of serviceCVE-2024-29661CVE-2024-22856remote attackersencryptionCVE-2023-38299
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook