High severityNVD Advisory· Published Nov 16, 2020· Updated Aug 4, 2024
Remote Code Execution in XStream
CVE-2020-26217
Description
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.thoughtworks.xstream:xstreamMaven | < 1.4.14-java7 | 1.4.14-java7 |
Affected products
36- osv-coords35 versionspkg:bitnami/activemqpkg:maven/com.thoughtworks.xstream/xstreampkg:rpm/opensuse/xstream&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/xstream&distro=openSUSE%20Tumbleweedpkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/grafana-formula&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/mgr-libmod&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/prometheus-exporters-formula&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/prometheus-formula&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/py26-compat-salt&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/smdba&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-config&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-proxy&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/spacewalk-proxy-installer&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/spacewalk-utils&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/subscription-matcher&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-doc-indexes&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xpp3&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/xstream&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/xstream&distro=SUSE%20Manager%20Server%20Module%204.1
< 5.15.14+ 34 more
- (no CPE)range: < 5.15.14
- (no CPE)range: < 1.4.14-java7
- (no CPE)range: < 1.4.15-lp152.2.3.1
- (no CPE)range: < 1.4.18-1.1
- (no CPE)range: < 3.0.0+git20190806.32c4bae0-5.6.4
- (no CPE)range: < 0.4.0-3.6.2
- (no CPE)range: < 4.1.7-3.16.2
- (no CPE)range: < 4.1.5-2.9.4
- (no CPE)range: < 4.1.5-2.9.4
- (no CPE)range: < 0.9.0-3.19.2
- (no CPE)range: < 0.3.1-3.6.2
- (no CPE)range: < 2016.11.10-6.11.2
- (no CPE)range: < 4.1.3-4.3.2
- (no CPE)range: < 4.1.3-4.3.2
- (no CPE)range: < 1.7.8-0.3.6.2
- (no CPE)range: < 4.1.21-4.22.7
- (no CPE)range: < 4.1.21-4.22.7
- (no CPE)range: < 4.1.9-4.12.4
- (no CPE)range: < 4.1.9-4.12.4
- (no CPE)range: < 4.1.5-3.3.2
- (no CPE)range: < 4.1.30-3.31.7
- (no CPE)range: < 4.1.4-3.9.4
- (no CPE)range: < 4.1.6-3.3.2
- (no CPE)range: < 4.1.14-3.12.2
- (no CPE)range: < 4.1.23-3.18.6
- (no CPE)range: < 4.1.23-3.18.6
- (no CPE)range: < 0.26-3.6.2
- (no CPE)range: < 4.1.24-3.20.2
- (no CPE)range: < 4.1-11.28.4
- (no CPE)range: < 4.1-11.28.2
- (no CPE)range: < 4.1.19-3.24.4
- (no CPE)range: < 4.1.21-3.26.2
- (no CPE)range: < 1.1.4c-11.2.2
- (no CPE)range: < 1.4.15-3.3.2
- (no CPE)range: < 1.4.15-3.5.2
Patches
Vulnerability mechanics
References
22- github.com/advisories/GHSA-mw36-7c6c-q4q2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-26217ghsaADVISORY
- www.debian.org/security/2020/dsa-4811ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1aghsax_refsource_CONFIRMWEB
- github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2ghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2020/12/msg00001.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20210409-0004ghsaWEB
- security.netapp.com/advisory/ntap-20210409-0004/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
- x-stream.github.io/CVE-2020-26217.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.