XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
https://x-stream.github.io/CVE-2020-26217.html
https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html
https://www.debian.org/security/2020/dsa-4811
https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E
https://security.netapp.com/advisory/ntap-20210409-0004/
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://lists.apache.org/thread.html/[email protected]%3Ccommits.camel.apache.org%3E
https://www.oracle.com/security-alerts/cpuoct2021.html
Source: MITRE
Published: 2020-11-16
Updated: 2022-05-12
Type: CWE-78
Base Score: 9.3
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Impact Score: 10
Exploitability Score: 8.6
Severity: HIGH
Base Score: 8.8
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 2.8
Severity: HIGH