CVE-2020-26259: OS Command Injection

December 16, 2020 (updated November 30, 2021)

XStream is a Java library to serialize objects to XML and back again. XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary known files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream’s Security Framework with an allow list. Anyone relying on XStream’s default block list can immediately switch to an allow list for the allowed types to avoid the vulnerability.

References

nvd.nist.gov/vuln/detail/CVE-2020-26259

Code Behaviors & Features

Detect and mitigate CVE-2020-26259 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →