CVE-2020-26258, CVE-2020-26259: XStream Security Vulnerabilites Alert
On December 13, 2020, XStream issued a risk notice for Server-Side Forgery Requests and Arbitrary File Deletion vulnerabilities. The vulnerability numbers are CVE-2020-26259 and CVE-2020-26258. The vulnerability level is high risk.
On the service running XStream, unauthorized remote attackers can cause arbitrary file deletion/server request forgery by constructing specific serialized data. The POC of the vulnerability has been made public.
Vulnerability Detail
CVE-2020-26258: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.
CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.
Affected version
- XStream <=1.4.14
Unaffected version
- XStream 1.4.15
Solution
In this regard, we recommend that users upgrade XStream to the latest version in time.
