XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
{ "vanir_signatures": [ { "id": "CVE-2020-26217-62fc4d1d", "signature_type": "Line", "target": { "file": "xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java" }, "digest": { "line_hashes": [ "36534078420505951630932717155066595606", "167712592239746094751306022918018252816", "317644733730249586699082543719012497198", "147882892005919619167157629845016475938", "310112206937186273496457350593858618322", "212400998281365619402932426753096858535", "98561082973858442458491193662279704329", "140566921675937823121313754377213541683", "55865721030239104668089207709746320035", "226613955031940672379347694521770861245", "224905054078361424294810803415096163072", "304917238615893824511506291964377504692", "95782208176028131388695258941550121531", "28837992903177281865669434989913590989", "199170493253428971075703026859805881887", "37525357282441523443603245142652431206", "145645811809558746125356472534965652414", "46124708426586695108529983063240272933", "13235285845647794166604326647201940192", "194282790036325872265619217445543145245", "57524199966063753519088560374134026781", "302590889855058786938212722740100797184", "287878836132345066373988020348693799345", "55388299779160129076428276823673824851", "79370552315750212097527417749468495751", "58609552586332135734337986950425982652", "274080513672262428135865176899633804291", "140977745494268924825685328415719490273", "284467441441206600708256211807478500031", "304917238615893824511506291964377504692", "95782208176028131388695258941550121531", "28837992903177281865669434989913590989", "199170493253428971075703026859805881887", "37525357282441523443603245142652431206", "145645811809558746125356472534965652414", "46124708426586695108529983063240272933", "330110021267849494055473811230632102184", "276200769093194371420971142739798509370", "95737149966117525507760249364270862720", "263867514275934896738377568056758027090", "48714228442327568100662768598747861880", "212494145970732734032500827369388649428", "182912325341326383473301608361159179741", "88593924387143450924616786494852175367", "151438248137756327111752360344123826640", "248025821406173234794988814544699774100", "309803324023024585825355197780470987251", "315797621103349978137933836505191930530", "82548540201317005602749919447493015094", "270863949685038507274853685123980255028", "171405365791934743455499209126098513808", "244766781187162628268875854624811336252", "166730865668170713317511943055644070483", "292822050563300496692888095507552767585", "63366177943000962629953594979726051287", "268325377609045880961180859203858421206", "253171137548256272141904701683387644168", "262245883024142785000301742972088682103" ], "threshold": 0.9 }, "source": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a", "signature_version": "v1", "deprecated": false }, { "id": "CVE-2020-26217-7ccf807b", "signature_type": "Function", "target": { "file": "xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java", "function": "testExplicitlyConvertEventHandler" }, "digest": { "function_hash": "135430061935714785873177556993178862123", "length": 736.0 }, "source": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a", "signature_version": "v1", "deprecated": false }, { "id": "CVE-2020-26217-fda9c622", "signature_type": "Function", "target": { "file": "xstream/src/java/com/thoughtworks/xstream/XStream.java", "function": "setupSecurity" }, "digest": { "function_hash": "86372899673399638265050073566564126629", "length": 291.0 }, "source": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a", "signature_version": "v1", "deprecated": false }, { "id": "CVE-2020-26217-fdcfa9c0", "signature_type": "Line", "target": { "file": "xstream/src/java/com/thoughtworks/xstream/XStream.java" }, "digest": { "line_hashes": [ "288917004095477301317786229564296666322", "260891975351421313936228542580575721897", "182758980270881807918382145153527672156", "222093423178369917819573038757702447017" ], "threshold": 0.9 }, "source": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a", "signature_version": "v1", "deprecated": false } ] }