What is the severity of CVE-2020-26259?

CVE-2020-26259 has a CVSS v3 score of 6.8, which is classified as Medium severity.

Is there an exploit available for CVE-2020-26259?

Yes, there are known exploits available for CVE-2020-26259. Immediate patching is recommended.

Is there a patch available for CVE-2020-26259?

Yes, patches are available for CVE-2020-26259. Check the vendor advisories for update instructions.

CVE-2020-26259 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v36.8

CVSS v26.4

Priority Score524.0

EPSS Score89.0

Medium

Exploitation LikelihoodCritical

89.00%EPSS

Very high probability of exploitation in the next 30 days

Immediate patching required

89.00%

EPSS

6.8

CVSS

Yes

Exploit

Yes

Patch

High Priority

high EPSS • exploit exists

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream.

Patches

If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15.

Workarounds

The reported vulnerability does only exist with a JAX-WS runtime on the classpath.

No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability.

Users of XStream 1.4.14 or below who still insist to use XStream default blacklist - despite that clear recommendation - can use a workaround depending on their version in use.

Users of XStream 1.4.14 can simply add two lines to XStream's setup code:

xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });

Users of XStream 1.4.14 to 1.4.13 can simply add three lines to XStream's setup code:

xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });

Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter, java.beans.EventHandler, java.lang.ProcessBuilder, jdk.nashorn.internal.objects.NativeString.class, java.lang.Void and void and deny several types by name pattern.

xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, "jdk.nashorn.internal.objects.NativeString", java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" });

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:High

Privileges Required:Network

User Interaction:Network

Scope:Changed

Confidentiality:Network

Integrity:High

Availability:Network

Exploit References

GitHub GitHub GitHub

Patch References

Lists.apache.org

Vendor	Product
Fedoraproject	Fedora
Apache

Ready for Agentic Automated Testing?

CVE-2020-26259

Impact

Patches

Workarounds

For more information