CVE-2020-26217: XStream Remote Code Execution Vulnerability Alert

On November 16, 2020, XStream issued a risk notice for XStream remote code execution vulnerability. The vulnerability number is CVE-2020-26217. The vulnerability level is critical.
There is a blacklist bypass in the old version of XStream. Using this bypass can trigger a malicious deserialization process, leading to remote code execution. An unauthorized remote attacker can cause remote code execution by sending a specially crafted request to a web application that uses XStream and gain control of the server.

Vulnerability Detail

The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that can execute arbitrary shell commands.

This issue is a variation of CVE-2013-7285, this time using a different set of classes of the Java runtime environment, none of which is part of the XStream default blacklist. The same issue has already been reported for Strut’s XStream plugin in CVE-2017-9805, but the XStream project has never been informed about it.

Affected version

  • XStream <=1.4.13

Unaffected version

  • XStream 1.4.14

Solution

In this regard, we recommend that users upgrade XStream to the latest version in time.