PublicDateAtUSN: 2020-11-16 21:15:00 UTC
Candidate: CVE-2020-26217
PublicDate: 2020-11-16 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26217
 https://x-stream.github.io/CVE-2020-26217.html
 https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
 https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
 https://ubuntu.com/security/notices/USN-4714-1
 https://ubuntu.com/security/notices/USN-4943-1
Description:
 XStream before version 1.4.14 is vulnerable to Remote Code Execution.The
 vulnerability may allow a remote attacker to run arbitrary shell commands
 only by manipulating the processed input stream. Only users who rely on
 blocklists are affected. Anyone using XStream's Security Framework
 allowlist is not affected. The linked advisory provides code workarounds
 for users who cannot upgrade. The issue is fixed in version 1.4.14.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by: Zhihong Tian and Hui Lu
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_libxstream-java:
upstream_libxstream-java: needs-triage
precise/esm_libxstream-java: DNE
trusty_libxstream-java: ignored (out of standard support)
trusty/esm_libxstream-java: needs-triage
xenial_libxstream-java: ignored (end of standard support, was needs-triage)
bionic_libxstream-java: released (1.4.11.1-1~18.04.1)
focal_libxstream-java: released (1.4.11.1-1ubuntu0.1)
groovy_libxstream-java: released (1.4.11.1-2ubuntu0.1)
hirsute_libxstream-java: not-affected (1.4.14-1)
impish_libxstream-java: not-affected (1.4.14-1)
jammy_libxstream-java: not-affected (1.4.14-1)
devel_libxstream-java: not-affected (1.4.14-1)