cnvd - cnvd-2021-13247

cnvd-2021-13247

Vulnerability from cnvd

Title: XStream SSRF漏洞

Description:

XStream是Java类库，用来将对象序列化成XML或者反序列化为对象，XStream是自由软件可以在BSD许可证的学习分发。

XStream SSRF漏洞，攻击者可利用该漏洞通过在xml中指定需求请求的url可以进行SSRF操作。

Severity: 中

Patch Name: XStream SSRF漏洞的补丁

Patch Description:

XStream是Java类库，用来将对象序列化成XML或者反序列化为对象，XStream是自由软件可以在BSD许可证的学习分发。

XStream SSRF漏洞，攻击者可利用该漏洞通过在xml中指定需求请求的url可以进行SSRF操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布相关漏洞补丁链接，请关注厂商主页随时更新： http://x-stream.github.io/CVE-2020-26258.html

Reference: https://x-stream.github.io/

Impacted products

Name
XStream XStream <1.4.14

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-26259"
    }
  },
  "description": "XStream\u662fJava\u7c7b\u5e93\uff0c\u7528\u6765\u5c06\u5bf9\u8c61\u5e8f\u5217\u5316\u6210XML\u6216\u8005\u53cd\u5e8f\u5217\u5316\u4e3a\u5bf9\u8c61\uff0cXStream\u662f\u81ea\u7531\u8f6f\u4ef6\u53ef\u4ee5\u5728BSD\u8bb8\u53ef\u8bc1\u7684\u5b66\u4e60\u5206\u53d1\u3002\n\nXStream SSRF\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u5728xml\u4e2d\u6307\u5b9a\u9700\u6c42\u8bf7\u6c42\u7684url\u53ef\u4ee5\u8fdb\u884cSSRF\u64cd\u4f5c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u76f8\u5173\u6f0f\u6d1e\u8865\u4e01\u94fe\u63a5\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u968f\u65f6\u66f4\u65b0\uff1a\r\nhttp://x-stream.github.io/CVE-2020-26258.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-13247",
  "openTime": "2021-03-01",
  "patchDescription": "XStream\u662fJava\u7c7b\u5e93\uff0c\u7528\u6765\u5c06\u5bf9\u8c61\u5e8f\u5217\u5316\u6210XML\u6216\u8005\u53cd\u5e8f\u5217\u5316\u4e3a\u5bf9\u8c61\uff0cXStream\u662f\u81ea\u7531\u8f6f\u4ef6\u53ef\u4ee5\u5728BSD\u8bb8\u53ef\u8bc1\u7684\u5b66\u4e60\u5206\u53d1\u3002\r\n\r\nXStream SSRF\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u5728xml\u4e2d\u6307\u5b9a\u9700\u6c42\u8bf7\u6c42\u7684url\u53ef\u4ee5\u8fdb\u884cSSRF\u64cd\u4f5c\u3002\r\n\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "XStream SSRF\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "XStream XStream \u003c1.4.14"
  },
  "referenceLink": "https://x-stream.github.io/",
  "serverity": "\u4e2d",
  "submitTime": "2020-12-15",
  "title": "XStream SSRF\u6f0f\u6d1e"
}

CVE-2020-26259 (GCVE-0-2020-26259)

Vulnerability from cvelistv5

Published

2020-12-16 01:05

Modified

2024-08-04 15:56

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-78 - OS Command Injection

Summary

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

References

▼	URL	Tags
	https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh	x_refsource_CONFIRM
	https://x-stream.github.io/CVE-2020-26259.html	x_refsource_MISC
	https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2021/dsa-4828	vendor-advisory, x_refsource_DEBIAN
	https://security.netapp.com/advisory/ntap-20210409-0005/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/	vendor-advisory, x_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	x-stream	xstream	Version: < 1.4.15

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:56:04.167Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://x-stream.github.io/CVE-2020-26259.html"
          },
          {
            "name": "[struts-commits] 20201221 [struts] branch master updated: Upgrades XStream to version 1.4.15 to address CVE-2020-26258, CVE-2020-26259",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E"
          },
          {
            "name": "[debian-lts-announce] 20201231 [SECURITY] [DLA 2507-1] libxstream-java security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html"
          },
          {
            "name": "DSA-4828",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4828"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210409-0005/"
          },
          {
            "name": "FEDORA-2021-fbad11014a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"
          },
          {
            "name": "FEDORA-2021-d894ca87dc",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"
          },
          {
            "name": "FEDORA-2021-5e376c0ed9",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xstream",
          "vendor": "x-stream",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.15"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream\u0027s default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream\u0027s Security Framework with a whitelist! Anyone relying on XStream\u0027s default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 OS Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-30T01:08:04",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://x-stream.github.io/CVE-2020-26259.html"
        },
        {
          "name": "[struts-commits] 20201221 [struts] branch master updated: Upgrades XStream to version 1.4.15 to address CVE-2020-26258, CVE-2020-26259",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E"
        },
        {
          "name": "[debian-lts-announce] 20201231 [SECURITY] [DLA 2507-1] libxstream-java security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html"
        },
        {
          "name": "DSA-4828",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4828"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210409-0005/"
        },
        {
          "name": "FEDORA-2021-fbad11014a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"
        },
        {
          "name": "FEDORA-2021-d894ca87dc",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"
        },
        {
          "name": "FEDORA-2021-5e376c0ed9",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"
        }
      ],
      "source": {
        "advisory": "GHSA-jfvx-7wrx-43fh",
        "discovery": "UNKNOWN"
      },
      "title": "XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-26259",
          "STATE": "PUBLIC",
          "TITLE": "XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "xstream",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.4.15"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "x-stream"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream\u0027s default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream\u0027s Security Framework with a whitelist! Anyone relying on XStream\u0027s default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78 OS Command Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh",
              "refsource": "CONFIRM",
              "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh"
            },
            {
              "name": "https://x-stream.github.io/CVE-2020-26259.html",
              "refsource": "MISC",
              "url": "https://x-stream.github.io/CVE-2020-26259.html"
            },
            {
              "name": "[struts-commits] 20201221 [struts] branch master updated: Upgrades XStream to version 1.4.15 to address CVE-2020-26258, CVE-2020-26259",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20201231 [SECURITY] [DLA 2507-1] libxstream-java security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html"
            },
            {
              "name": "DSA-4828",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4828"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210409-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210409-0005/"
            },
            {
              "name": "FEDORA-2021-fbad11014a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/"
            },
            {
              "name": "FEDORA-2021-d894ca87dc",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/"
            },
            {
              "name": "FEDORA-2021-5e376c0ed9",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-jfvx-7wrx-43fh",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-26259",
    "datePublished": "2020-12-16T01:05:16",
    "dateReserved": "2020-10-01T00:00:00",
    "dateUpdated": "2024-08-04T15:56:04.167Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted