xstream is vulnerable to remote code execution (RCE). The vulnerability exists through server-side request forgery when unmarshalling XStream objects with the java.beans.EventHandler
, java.lang.ProcessBuilder
, javax.imageio.ImageIO$ContainsFilter
, and jdk.nashorn.internal.objects.NativeString
classes.
github.com/x-stream/xstream/commit/6740c04b217aef02d44fba26402b35e0f6f493ce
github.com/x-stream/xstream/pull/234
github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E
lists.debian.org/debian-lts-announce/2020/12/msg00042.html
lists.fedoraproject.org/archives/list/[email protected]/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
lists.fedoraproject.org/archives/list/[email protected]/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/
lists.fedoraproject.org/archives/list/[email protected]/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
security.netapp.com/advisory/ntap-20210409-0005/
www.debian.org/security/2021/dsa-4828
x-stream.github.io/CVE-2020-26258.html