CVE-2020-26217

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-26217
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26217.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-26217
Aliases
Downstream
Related
Published
2020-11-16T21:15:12Z
Modified
2025-09-19T12:13:15.512094Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

References

Affected packages

Git / github.com/apache/activemq

Affected ranges

Type
GIT
Repo
https://github.com/apache/activemq
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a0d4141a00ba5de4afaee160836898b41eb28065
Type
GIT
Repo
https://github.com/x-stream/xstream
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0fec095d534126931c99fd38e9c6d41f5c685c1a

Affected versions

Other

XSTREAM_1_4_10
XSTREAM_1_4_11
XSTREAM_1_4_11_1
XSTREAM_1_4_12
XSTREAM_1_4_13
XSTREAM_1_4_5
XSTREAM_1_4_9

activemq-5.*

activemq-5.10.0
activemq-5.11.0
activemq-5.12.0
activemq-5.13.0
activemq-5.14.0
activemq-5.15.0
activemq-5.15.1
activemq-5.15.10
activemq-5.15.11
activemq-5.15.12
activemq-5.15.13
activemq-5.15.2
activemq-5.15.3
activemq-5.15.4
activemq-5.15.5
activemq-5.15.6
activemq-5.15.7
activemq-5.15.8
activemq-5.15.9
activemq-5.9.0

Database specific 

{
    "vanir_signatures": [
        {
            "id": "CVE-2020-26217-62fc4d1d",
            "signature_type": "Line",
            "target": {
                "file": "xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java"
            },
            "digest": {
                "line_hashes": [
                    "36534078420505951630932717155066595606",
                    "167712592239746094751306022918018252816",
                    "317644733730249586699082543719012497198",
                    "147882892005919619167157629845016475938",
                    "310112206937186273496457350593858618322",
                    "212400998281365619402932426753096858535",
                    "98561082973858442458491193662279704329",
                    "140566921675937823121313754377213541683",
                    "55865721030239104668089207709746320035",
                    "226613955031940672379347694521770861245",
                    "224905054078361424294810803415096163072",
                    "304917238615893824511506291964377504692",
                    "95782208176028131388695258941550121531",
                    "28837992903177281865669434989913590989",
                    "199170493253428971075703026859805881887",
                    "37525357282441523443603245142652431206",
                    "145645811809558746125356472534965652414",
                    "46124708426586695108529983063240272933",
                    "13235285845647794166604326647201940192",
                    "194282790036325872265619217445543145245",
                    "57524199966063753519088560374134026781",
                    "302590889855058786938212722740100797184",
                    "287878836132345066373988020348693799345",
                    "55388299779160129076428276823673824851",
                    "79370552315750212097527417749468495751",
                    "58609552586332135734337986950425982652",
                    "274080513672262428135865176899633804291",
                    "140977745494268924825685328415719490273",
                    "284467441441206600708256211807478500031",
                    "304917238615893824511506291964377504692",
                    "95782208176028131388695258941550121531",
                    "28837992903177281865669434989913590989",
                    "199170493253428971075703026859805881887",
                    "37525357282441523443603245142652431206",
                    "145645811809558746125356472534965652414",
                    "46124708426586695108529983063240272933",
                    "330110021267849494055473811230632102184",
                    "276200769093194371420971142739798509370",
                    "95737149966117525507760249364270862720",
                    "263867514275934896738377568056758027090",
                    "48714228442327568100662768598747861880",
                    "212494145970732734032500827369388649428",
                    "182912325341326383473301608361159179741",
                    "88593924387143450924616786494852175367",
                    "151438248137756327111752360344123826640",
                    "248025821406173234794988814544699774100",
                    "309803324023024585825355197780470987251",
                    "315797621103349978137933836505191930530",
                    "82548540201317005602749919447493015094",
                    "270863949685038507274853685123980255028",
                    "171405365791934743455499209126098513808",
                    "244766781187162628268875854624811336252",
                    "166730865668170713317511943055644070483",
                    "292822050563300496692888095507552767585",
                    "63366177943000962629953594979726051287",
                    "268325377609045880961180859203858421206",
                    "253171137548256272141904701683387644168",
                    "262245883024142785000301742972088682103"
                ],
                "threshold": 0.9
            },
            "source": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a",
            "signature_version": "v1",
            "deprecated": false
        },
        {
            "id": "CVE-2020-26217-7ccf807b",
            "signature_type": "Function",
            "target": {
                "file": "xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java",
                "function": "testExplicitlyConvertEventHandler"
            },
            "digest": {
                "function_hash": "135430061935714785873177556993178862123",
                "length": 736.0
            },
            "source": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a",
            "signature_version": "v1",
            "deprecated": false
        },
        {
            "id": "CVE-2020-26217-fda9c622",
            "signature_type": "Function",
            "target": {
                "file": "xstream/src/java/com/thoughtworks/xstream/XStream.java",
                "function": "setupSecurity"
            },
            "digest": {
                "function_hash": "86372899673399638265050073566564126629",
                "length": 291.0
            },
            "source": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a",
            "signature_version": "v1",
            "deprecated": false
        },
        {
            "id": "CVE-2020-26217-fdcfa9c0",
            "signature_type": "Line",
            "target": {
                "file": "xstream/src/java/com/thoughtworks/xstream/XStream.java"
            },
            "digest": {
                "line_hashes": [
                    "288917004095477301317786229564296666322",
                    "260891975351421313936228542580575721897",
                    "182758980270881807918382145153527672156",
                    "222093423178369917819573038757702447017"
                ],
                "threshold": 0.9
            },
            "source": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a",
            "signature_version": "v1",
            "deprecated": false
        }
    ]
}