CVE-2020-26217

Description

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

How to fix CVE-2020-26217

To remediate CVE-2020-26217, upgrade the affected package to a fixed version below.

• —upgrade to 5.15.14 or later
• —upgrade to 1.4.14-1 or later
• —upgrade to 1.4.9-2+deb9u1 or later
• —upgrade to 1.4.11.1-1+deb10u1 or later
• —upgrade to 1.4.14-java7 or later

Is CVE-2020-26217 being exploited?

Likely — EPSS is 93.2%, placing CVE-2020-26217 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (5)

• from 0, < 5.15.14 | >= 5.16.0, <= 5.16.0
• from 0, < 1.4.14-1
• from 0, < 1.4.9-2+deb9u1
• from 0, < 1.4.11.1-1+deb10u1
• from 0, < 1.4.14-java7

CVSS scores

References (23)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-26217
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-26217
• PATCHgithub.com/x-stream/xstream
• WEBgithub.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a