CVE-2020-26217
- Source
- https://cve.org/CVERecord?id=CVE-2020-26217
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26217.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-26217
- Aliases
- Downstream
- Related
- Published
- 2020-11-16T21:15:12.893Z
- Modified
- 2026-03-15T22:35:24.969701Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
- References
-
- https://www.debian.org/security/2020/dsa-4811
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
- https://security.netapp.com/advisory/ntap-20210409-0004/
- https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E
- https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://x-stream.github.io/CVE-2020-26217.html
Affected packages
Git / github.com/apache/activemq
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/activemq
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "5.15.14" }, { "introduced": "0" }, { "last_affected": "5.16.0" } ] }
Affected versions
Other
XSTREAM_1_4_10
XSTREAM_1_4_11
XSTREAM_1_4_11_1
XSTREAM_1_4_12
XSTREAM_1_4_13
XSTREAM_1_4_5
XSTREAM_1_4_9
activemq-5.*
activemq-5.10.0
activemq-5.11.0
activemq-5.12.0
activemq-5.13.0
activemq-5.14.0
activemq-5.15.0
activemq-5.16.0
activemq-5.9.0
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.2.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "14.5.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.1.1.9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.1.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.5.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.2.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.0.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "17.0.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.0.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "19.0.2"
}
]
}
]
vanir_signatures
[
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java"
},
"id": "CVE-2020-26217-62fc4d1d",
"deprecated": false,
"source": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a",
"digest": {
"line_hashes": [
"36534078420505951630932717155066595606",
"167712592239746094751306022918018252816",
"317644733730249586699082543719012497198",
"147882892005919619167157629845016475938",
"310112206937186273496457350593858618322",
"212400998281365619402932426753096858535",
"98561082973858442458491193662279704329",
"140566921675937823121313754377213541683",
"55865721030239104668089207709746320035",
"226613955031940672379347694521770861245",
"224905054078361424294810803415096163072",
"304917238615893824511506291964377504692",
"95782208176028131388695258941550121531",
"28837992903177281865669434989913590989",
"199170493253428971075703026859805881887",
"37525357282441523443603245142652431206",
"145645811809558746125356472534965652414",
"46124708426586695108529983063240272933",
"13235285845647794166604326647201940192",
"194282790036325872265619217445543145245",
"57524199966063753519088560374134026781",
"302590889855058786938212722740100797184",
"287878836132345066373988020348693799345",
"55388299779160129076428276823673824851",
"79370552315750212097527417749468495751",
"58609552586332135734337986950425982652",
"274080513672262428135865176899633804291",
"140977745494268924825685328415719490273",
"284467441441206600708256211807478500031",
"304917238615893824511506291964377504692",
"95782208176028131388695258941550121531",
"28837992903177281865669434989913590989",
"199170493253428971075703026859805881887",
"37525357282441523443603245142652431206",
"145645811809558746125356472534965652414",
"46124708426586695108529983063240272933",
"330110021267849494055473811230632102184",
"276200769093194371420971142739798509370",
"95737149966117525507760249364270862720",
"263867514275934896738377568056758027090",
"48714228442327568100662768598747861880",
"212494145970732734032500827369388649428",
"182912325341326383473301608361159179741",
"88593924387143450924616786494852175367",
"151438248137756327111752360344123826640",
"248025821406173234794988814544699774100",
"309803324023024585825355197780470987251",
"315797621103349978137933836505191930530",
"82548540201317005602749919447493015094",
"270863949685038507274853685123980255028",
"171405365791934743455499209126098513808",
"244766781187162628268875854624811336252",
"166730865668170713317511943055644070483",
"292822050563300496692888095507552767585",
"63366177943000962629953594979726051287",
"268325377609045880961180859203858421206",
"253171137548256272141904701683387644168",
"262245883024142785000301742972088682103"
],
"threshold": 0.9
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java",
"function": "testExplicitlyConvertEventHandler"
},
"id": "CVE-2020-26217-7ccf807b",
"deprecated": false,
"source": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a",
"digest": {
"function_hash": "135430061935714785873177556993178862123",
"length": 736.0
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/XStream.java",
"function": "setupSecurity"
},
"id": "CVE-2020-26217-fda9c622",
"deprecated": false,
"source": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a",
"digest": {
"function_hash": "86372899673399638265050073566564126629",
"length": 291.0
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "xstream/src/java/com/thoughtworks/xstream/XStream.java"
},
"id": "CVE-2020-26217-fdcfa9c0",
"deprecated": false,
"source": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a",
"digest": {
"line_hashes": [
"288917004095477301317786229564296666322",
"260891975351421313936228542580575721897",
"182758980270881807918382145153527672156",
"222093423178369917819573038757702447017"
],
"threshold": 0.9
}
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26217.json"