CVE-2020-26217

Опубликовано: 16 нояб. 2020

Источник: nvd

CVSS3: 8

CVSS3: 8.8

CVSS2: 9.3

EPSS Критический

Описание

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Ссылки

https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
Patch
Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
Mitigation
Third Party Advisory
https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E
Issue Tracking
Mailing List
https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E
Issue Tracking
Mailing List
https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E
Issue Tracking
Mailing List
https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E
Issue Tracking
Mailing List
https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html
Mailing List
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210409-0004/
Third Party Advisory
https://www.debian.org/security/2020/dsa-4811
Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Not Applicable
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Not Applicable
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://x-stream.github.io/CVE-2020-26217.html
Exploit
Mitigation
Vendor Advisory
https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
Patch
Third Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
Mitigation
Third Party Advisory
https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E
Issue Tracking
Mailing List
https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E
Issue Tracking
Mailing List
https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E
Issue Tracking
Mailing List

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*

Версия до 1.4.14 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:netapp:snapmanager:*:*:*:*:*:sap:*:*

cpe:2.3:a:netapp:snapmanager:-:-:*:*:*:oracle:*:*

Конфигурация 4

Одно из

cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*

Версия до 5.15.14 (исключая)

cpe:2.3:a:apache:activemq:5.16.0:*:*:*:*:*:*:*

Конфигурация 5

Одно из

cpe:2.3:a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_supply_chain_finance:14.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_supply_chain_finance:14.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.93171

Критический

8 High

CVSS3

8.8 High

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-78

Связанные уязвимости

CVE-2020-26217

CVSS3: 8

ubuntu

около 5 лет назад

CVE-2020-26217

CVSS3: 9

redhat

около 5 лет назад

CVE-2020-26217

CVSS3: 8

debian

около 5 лет назад

XStream before version 1.4.14 is vulnerable to Remote Code Execution.T ...

GHSA-mw36-7c6c-q4q2

CVSS3: 8

github

около 5 лет назад

XStream can be used for Remote Code Execution

ELSA-2021-0162

oracle-oval

около 5 лет назад

ELSA-2021-0162: xstream security update (IMPORTANT)

EPSS

Процентиль: 100%

0.93171

Критический

8 High

CVSS3

8.8 High

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-78