7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.901 High
EPSS
Percentile
98.8%
XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.15, a Server-Side Forgery Request vulnerability
can be activated when unmarshalling. The vulnerability may allow a remote
attacker to request data from internal resources that are not publicly
available only by manipulating the processed input stream. If you rely on
XStream’s default blacklist of the Security Framework, you will have to use
at least version 1.4.15. The reported vulnerability does not exist if
running Java 15 or higher. No user is affected who followed the
recommendation to setup XStream’s Security Framework with a whitelist!
Anyone relying on XStream’s default blacklist can immediately switch to a
whilelist for the allowed types to avoid the vulnerability. Users of
XStream 1.4.14 or below who still want to use XStream default blacklist can
use a workaround described in more detailed in the referenced advisories.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libxstream-java | < 1.4.11.1-1~18.04.1 | UNKNOWN |
ubuntu | 20.04 | noarch | libxstream-java | < 1.4.11.1-1ubuntu0.1 | UNKNOWN |
ubuntu | 20.10 | noarch | libxstream-java | < 1.4.11.1-2ubuntu0.1 | UNKNOWN |
ubuntu | 14.04 | noarch | libxstream-java | < any | UNKNOWN |
ubuntu | 16.04 | noarch | libxstream-java | < any | UNKNOWN |
github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
launchpad.net/bugs/cve/CVE-2020-26258
nvd.nist.gov/vuln/detail/CVE-2020-26258
security-tracker.debian.org/tracker/CVE-2020-26258
ubuntu.com/security/notices/USN-4714-1
ubuntu.com/security/notices/USN-4943-1
www.cve.org/CVERecord?id=CVE-2020-26258
x-stream.github.io/CVE-2020-26258.html
7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.901 High
EPSS
Percentile
98.8%