6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.576 Medium
EPSS
Percentile
97.6%
XStream is a Java library to serialize objects to XML and back again. In
XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion
on the local host when unmarshalling. The vulnerability may allow a remote
attacker to delete arbitrary know files on the host as log as the executing
process has sufficient rights only by manipulating the processed input
stream. If you rely on XStream’s default blacklist of the Security
Framework, you will have to use at least version 1.4.15. The reported
vulnerability does not exist running Java 15 or higher. No user is
affected, who followed the recommendation to setup XStream’s Security
Framework with a whitelist! Anyone relying on XStream’s default blacklist
can immediately switch to a whilelist for the allowed types to avoid the
vulnerability. Users of XStream 1.4.14 or below who still want to use
XStream default blacklist can use a workaround described in more detailed
in the referenced advisories.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libxstream-java | < 1.4.11.1-1~18.04.1 | UNKNOWN |
ubuntu | 20.04 | noarch | libxstream-java | < 1.4.11.1-1ubuntu0.1 | UNKNOWN |
ubuntu | 16.04 | noarch | libxstream-java | < any | UNKNOWN |
ubuntu | 20.10 | noarch | libxstream-java | < 1.4.11.1-2ubuntu0.1 | UNKNOWN |
ubuntu | 14.04 | noarch | libxstream-java | < any | UNKNOWN |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26259
github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh
launchpad.net/bugs/cve/CVE-2020-26259
nvd.nist.gov/vuln/detail/CVE-2020-26259
security-tracker.debian.org/tracker/CVE-2020-26259
ubuntu.com/security/notices/USN-4714-1
ubuntu.com/security/notices/USN-4943-1
x-stream.github.io/CVE-2020-26259.html
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.576 Medium
EPSS
Percentile
97.6%