CVE-2020-26258 — MEDIUM (6.3)

Q: How severe is CVE-2020-26258?

CVE-2020-26258 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-26258?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts, Xstream Xstream, Debian Debian Linux, Fedoraproject Fedora.

Vulnerability Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

CVSS Score

6.3

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Struts	< 6.0.0
Xstream	Xstream	< 1.4.15
Debian	Debian Linux	9.0
Fedoraproject	Fedora	33

Related Weaknesses (CWE)

CWE-918

References

https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28MitigationThird Party Advisory
https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f05Issue TrackingMailing List
https://lists.debian.org/debian-lts-announce/2020/12/msg00042.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://security.netapp.com/advisory/ntap-20210409-0005Third Party Advisory
https://www.debian.org/security/2021/dsa-4828Third Party Advisory
https://x-stream.github.io/CVE-2020-26258.htmlExploitMitigationThird Party Advisory
https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28MitigationThird Party Advisory
https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f05Issue TrackingMailing List
https://lists.debian.org/debian-lts-announce/2020/12/msg00042.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing List

FAQ

What is CVE-2020-26258?

CVE-2020-26258 is a vulnerability with a CVSS score of 6.3 (MEDIUM). XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerabili...

How severe is CVE-2020-26258?

CVE-2020-26258 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-26258?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts, Xstream Xstream, Debian Debian Linux, Fedoraproject Fedora.