CVE-2020-26217
HIGHCVSS 8.8/10EPSS 85.00%
Last modified
CVE-2020-26217 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. EPSS estimates a 85.00% chance of exploitation in the next 30 days.
Description
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Xstream | Xstream | < 1.4.14 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Netapp | Snapmanager | All versions |
| Apache | Activemq | < 5.15.14 |
| Apache | Activemq | 5.16.0 |
| Oracle | Banking Cash Management | 14.2 |
| Oracle | Banking Cash Management | 14.3 |
| Oracle | Banking Cash Management | 14.5 |
| Oracle | Banking Corporate Lending Process Management | 14.2 |
| Oracle | Banking Corporate Lending Process Management | 14.3 |
| Oracle | Banking Corporate Lending Process Management | 14.5 |
| Oracle | Banking Credit Facilities Process Management | 14.2 |
| Oracle | Banking Credit Facilities Process Management | 14.3 |
| Oracle | Banking Credit Facilities Process Management | 14.5 |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Banking Platform | 2.7.1 |
| Oracle | Banking Platform | 2.9.0 |
| Oracle | Banking Supply Chain Finance | 14.2 |
| Oracle | Banking Supply Chain Finance | 14.3 |
| Oracle | Banking Supply Chain Finance | 14.5 |
| Oracle | Banking Trade Finance Process Management | 14.2 |
| Oracle | Banking Trade Finance Process Management | 14.3 |
| Oracle | Banking Trade Finance Process Management | 14.5 |
| Oracle | Banking Virtual Account Management | 14.2.0 |
| Oracle | Banking Virtual Account Management | 14.3.0 |
| Oracle | Banking Virtual Account Management | 14.5.0 |
| Oracle | Business Activity Monitoring | 11.1.1.9.0 |
| Oracle | Business Activity Monitoring | 12.2.1.3.0 |
| Oracle | Business Activity Monitoring | 12.2.1.4.0 |
| Oracle | Communications Policy Management | 12.5.0 |
| Oracle | Endeca Information Discovery Studio | 3.2.0.0 |
| Oracle | Retail Xstore Point Of Service | 16.0.6 |
| Oracle | Retail Xstore Point Of Service | 17.0.4 |
| Oracle | Retail Xstore Point Of Service | 18.0.3 |
| Oracle | Retail Xstore Point Of Service | 19.0.2 |
References
- https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1aPatch, Third Party Advisory
- https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2Mitigation, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/12/msg00001.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210409-0004/Third Party Advisory
- https://www.debian.org/security/2020/dsa-4811Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlNot Applicable, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlNot Applicable, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://x-stream.github.io/CVE-2020-26217.htmlExploit, Mitigation, Vendor Advisory
- https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1aPatch, Third Party Advisory
- https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2Mitigation, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/12/msg00001.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210409-0004/Third Party Advisory
- https://www.debian.org/security/2020/dsa-4811Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlNot Applicable, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlNot Applicable, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://x-stream.github.io/CVE-2020-26217.htmlExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2020-26217?
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
How severe is CVE-2020-26217?
CVE-2020-26217 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 85.00% probability of exploitation in the next 30 days.
How do I fix CVE-2020-26217?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2020-26217?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST