ALT-PU-2021-5079-1

Package update xstream in branch sisyphus

Version1.4.14-alt1_2jpp8

Published2021-06-12

Max severityHIGH

Severity:

Closed issues (3)

HIGH8.0

Уязвимость Java-библиотеки для преобразования объектов в XML или JSON формат Xstream, существующая из-за непринятия мер по нейтрализации специальных элементов, используемых в команде операционной системы, позволяющая нарушителю выполнить произвольный код

Published: 2020-12-11Modified: 2023-11-21

CVSS 3.xHIGH 8.0

CVSS:3.x/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS 2.0HIGH 7.1

CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:C/A:C

References

CVE-2020-26217

HIGH8.8

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Published: 2020-11-16Modified: 2025-05-23

CVSS 2.0CRITICAL 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

GHSA-mw36-7c6c-q4q2

HIGH8.0

XStream can be used for Remote Code Execution

Published: 2020-11-16Modified: 2025-09-03

CVSS 3.xHIGH 8.0

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

References