Lucene search

K

Veracode Vulnerability DatabaseVERACODE:28627

HistoryDec 17, 2020 - 3:43 a.m.

Remote Code Execution (RCE)

2020-12-1703:43:07

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

51

rce

server-side request forgery

xstream objects

java.beans.eventhandler

java.lang.processbuilder

javax.imageio.imageio$containsfilter

jdk.nashorn.internal.objects.nativestring

vulnerability

EPSS

0.902

Percentile

98.9%

xstream is vulnerable to remote code execution (RCE). The vulnerability exists through server-side request forgery when unmarshalling XStream objects with the java.beans.EventHandler, java.lang.ProcessBuilder, javax.imageio.ImageIO$ContainsFilter, and jdk.nashorn.internal.objects.NativeString classes.

References

github.com/x-stream/xstream/commit/6740c04b217aef02d44fba26402b35e0f6f493ce

github.com/x-stream/xstream/pull/234

github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28

lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E

lists.debian.org/debian-lts-announce/2020/12/msg00042.html

lists.fedoraproject.org/archives/list/[email protected]/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/

lists.fedoraproject.org/archives/list/[email protected]/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/

lists.fedoraproject.org/archives/list/[email protected]/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/

security.netapp.com/advisory/ntap-20210409-0005/

www.debian.org/security/2021/dsa-4828

x-stream.github.io/CVE-2020-26258.html

EPSS

0.902

Percentile

98.9%

Related for VERACODE:28627

nvd1 cve1 nuclei1 debiancve1 prion1 osv8 githubexploit2 cvelist1 ubuntucve1 ibm9 debian2 openvas10 nessus7 github1 ubuntu3 suse1 redhatcve1 redhat6 fedora3