SCA: security update for com.thoughtworks.xstream:xstream (GHSA-jfvx-7wrx-43fh)

medium Tenable Cloud Security Plugin ID 416336

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is
vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow
a remote attacker to delete arbitrary know files on the host as log as the executing process has
sufficient rights only by manipulating the processed input stream. If you rely on XStream's default
blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported
vulnerability does not exist running Java 15 or higher. No user is affected, who followed the
recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default
blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of
XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in
more detailed in the referenced advisories. (CVE-2020-26259)

See Also

https://github.com/advisories/GHSA-jfvx-7wrx-43fh

Plugin Details

Severity: Medium

ID: 416336

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.3

Percentile: 96.97

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2020-26259

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 6.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/21/2020

Vulnerability Publication Date: 12/16/2020

Reference Information

CVE: CVE-2020-26259

cwe: CWE-78