USN-4714-1

Zhihong Tian and Hui Lu found that XStream was vulnerable to remote code execution. A remote attacker could run arbitrary shell commands by manipulating the processed input stream. (CVE-2020-26217)

It was discovered that XStream was vulnerable to server-side forgery attacks. A remote attacker could request data from internal resources that are not publicly available only by manipulating the processed input stream. (CVE-2020-26258)

It was discovered that XStream was vulnerable to arbitrary file deletion on the local host. A remote attacker could use this to delete arbitrary known files on the host as long as the executing process had sufficient rights only by manipulating the processed input stream. (CVE-2020-26259)

References

Affected packages

Ubuntu:18.04:LTS / libxstream-java

Package

Name: libxstream-java
Purl: pkg:deb/ubuntu/libxstream-java@1.4.11.1-1~18.04.1?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.11.1-1~18.04.1

Affected versions

1.*

1.4.10-1

1.4.11.1-1~18.04

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libxstream-java",
            "binary_version": "1.4.11.1-1~18.04.1"
        }
    ],
    "availability": "No subscription required"
}

Ubuntu:20.04:LTS / libxstream-java

Package

Name: libxstream-java
Purl: pkg:deb/ubuntu/libxstream-java@1.4.11.1-1ubuntu0.1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.11.1-1ubuntu0.1

Affected versions

1.*

1.4.11.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libxstream-java",
            "binary_version": "1.4.11.1-1ubuntu0.1"
        }
    ],
    "availability": "No subscription required"
}