CVE-2020-26217 — HIGH (8.0)

Q: How severe is CVE-2020-26217?

CVE-2020-26217 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-26217?

Check the references section above for vendor advisories and patch information. Affected products include: Xstream Xstream, Debian Debian Linux, Netapp Snapmanager, Apache Activemq, Oracle Banking Cash Management.

Vulnerability Description

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

CVSS Score

8.0

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Xstream	Xstream	< 1.4.14
Debian	Debian Linux	9.0
Netapp	Snapmanager	All versions
Apache	Activemq	< 5.15.14
Oracle	Banking Cash Management	14.2
Oracle	Banking Corporate Lending Process Management	14.2
Oracle	Banking Credit Facilities Process Management	14.2
Oracle	Banking Platform	2.4.0
Oracle	Banking Supply Chain Finance	14.2
Oracle	Banking Trade Finance Process Management	14.2
Oracle	Banking Virtual Account Management	14.2.0
Oracle	Business Activity Monitoring	11.1.1.9.0
Oracle	Communications Policy Management	12.5.0
Oracle	Endeca Information Discovery Studio	3.2.0.0
Oracle	Retail Xstore Point Of Service	16.0.6

Related Weaknesses (CWE)

CWE-78

References

https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685PatchThird Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2MitigationThird Party Advisory
https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd9Issue TrackingMailing List
https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaIssue TrackingMailing List
https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad3Issue TrackingMailing List
https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fdIssue TrackingMailing List
https://lists.debian.org/debian-lts-announce/2020/12/msg00001.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20210409-0004/Third Party Advisory
https://www.debian.org/security/2020/dsa-4811Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlNot ApplicableThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlNot ApplicableThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://x-stream.github.io/CVE-2020-26217.htmlExploitMitigationVendor Advisory

FAQ

What is CVE-2020-26217?

CVE-2020-26217 is a vulnerability with a CVSS score of 8.0 (HIGH). XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only...

How severe is CVE-2020-26217?

CVE-2020-26217 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-26217?

Check the references section above for vendor advisories and patch information. Affected products include: Xstream Xstream, Debian Debian Linux, Netapp Snapmanager, Apache Activemq, Oracle Banking Cash Management.