Your submission was sent successfully! Close

CVE-2020-26217

Published: 16 November 2020

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
libxstream-java
Launchpad, Ubuntu, Debian
bionic
Released (1.4.11.1-1~18.04.1)
focal
Released (1.4.11.1-1ubuntu0.1)
groovy
Released (1.4.11.1-2ubuntu0.1)
hirsute Not vulnerable
(1.4.14-1)
impish Not vulnerable
(1.4.14-1)
jammy Not vulnerable
(1.4.14-1)
precise Does not exist

trusty Needs triage

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)