On December 13, 2020, XStream issued a risk notice for Server-Side Forgery Requests
and Arbitrary File Deletion
vulnerabilities. The vulnerability
numbers are CVE-2020-26259 and CVE-2020-26258. The vulnerability level is high risk.
On the service running XStream, unauthorized remote attackers can cause arbitrary file deletion/server request forgery by constructing specific serialized data. The POC of the vulnerability has been made public.
CVE-2020-26258: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.
CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.
In this regard, we recommend that users upgrade XStream to the latest version in time.