fkie_cve-2020-26259
Vulnerability from fkie_nvd
Published
2020-12-16 01:15
Modified
2024-11-21 05:19
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Summary
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
References
security-advisories@github.comhttps://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fhMitigation, Third Party Advisory
security-advisories@github.comhttps://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E
security-advisories@github.comhttps://lists.debian.org/debian-lts-announce/2020/12/msg00042.htmlMailing List, Third Party Advisory
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
security-advisories@github.comhttps://security.netapp.com/advisory/ntap-20210409-0005/Third Party Advisory
security-advisories@github.comhttps://www.debian.org/security/2021/dsa-4828Third Party Advisory
security-advisories@github.comhttps://x-stream.github.io/CVE-2020-26259.htmlExploit, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fhMitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2020/12/msg00042.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20210409-0005/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2021/dsa-4828Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://x-stream.github.io/CVE-2020-26259.htmlExploit, Mitigation, Third Party Advisory
Impacted products
Vendor Product Version
xstream_project xstream *
debian debian_linux 9.0
debian debian_linux 10.0
fedoraproject fedora 33
fedoraproject fedora 34
fedoraproject fedora 35


To clipboard 

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "57F452FA-A45F-46A3-9FDB-8ED3C7E77BBD",
                     versionEndExcluding: "1.4.15",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                     matchCriteriaId: "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                     matchCriteriaId: "A930E247-0B43-43CB-98FF-6CE7B8189835",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                     matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.",
      },
      {
         lang: "es",
         value: "XStream es una biblioteca de Java para serializar objetos a XML y viceversa. En XStream versiones anteriores a 1.4.15, es vulnerable a una Eliminación Arbitraria de Archivos en el host local al desagrupar. La vulnerabilidad puede permitir a un atacante remoto eliminar archivos conocidos arbitrarios en el host como registro, ya que el proceso en ejecución posee derechos suficientes solo mediante la manipulación del flujo de entrada procesado. Si confía en la lista negra predeterminada de XStream del Security Framework, tendrá que usar al menos la versión 1.4.15. La vulnerabilidad reportada no se presenta al ejecutar Java versión 15 o superior. Ningún usuario está afectado, si siguió la recomendación de configurar el Security Framework de XStream con una lista blanca! Cualquiera que confíe en la lista negra predeterminada de XStream puede cambiar inmediatamente a una lista blanca para los tipos permitidos para evitar la vulnerabilidad. Usuarios de XStream 1.4 o por debajo, quienes aún quieran usar la lista negra predeterminada de XStream pueden usar una solución alternativa que se describe con más detalle en los avisos a los que se hace referencia",
      },
   ],
   id: "CVE-2020-26259",
   lastModified: "2024-11-21T05:19:40.973",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 6.4,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 4.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.8,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.2,
            impactScore: 4,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.8,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.2,
            impactScore: 4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2020-12-16T01:15:12.413",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/",
      },
      {
         source: "security-advisories@github.com",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://security.netapp.com/advisory/ntap-20210409-0005/",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://www.debian.org/security/2021/dsa-4828",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Exploit",
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://x-stream.github.io/CVE-2020-26259.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
            "Third Party Advisory",
         ],
         url: "https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://security.netapp.com/advisory/ntap-20210409-0005/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://www.debian.org/security/2021/dsa-4828",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://x-stream.github.io/CVE-2020-26259.html",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-78",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-78",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.