CVE-2020-26217 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	8 HIGH	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Affected Products (NVD)

Vendor	Product	Version
xstream	xstream	𝑥 < 1.4.14
debian	debian_linux	9.0
debian	debian_linux	10.0
netapp	snapmanager	*
netapp	snapmanager	-
apache	activemq	𝑥 < 5.15.14
apache	activemq	5.16.0
oracle	banking_cash_management	14.2
oracle	banking_cash_management	14.3
oracle	banking_cash_management	14.5
oracle	banking_corporate_lending_process_management	14.2
oracle	banking_corporate_lending_process_management	14.3
oracle	banking_corporate_lending_process_management	14.5
oracle	banking_credit_facilities_process_management	14.2
oracle	banking_credit_facilities_process_management	14.3
oracle	banking_credit_facilities_process_management	14.5
oracle	banking_platform	2.4.0
oracle	banking_platform	2.7.1
oracle	banking_platform	2.9.0
oracle	banking_supply_chain_finance	14.2
oracle	banking_supply_chain_finance	14.3
oracle	banking_supply_chain_finance	14.5
oracle	banking_trade_finance_process_management	14.2
oracle	banking_trade_finance_process_management	14.3
oracle	banking_trade_finance_process_management	14.5
oracle	banking_virtual_account_management	14.2.0
oracle	banking_virtual_account_management	14.3.0
oracle	banking_virtual_account_management	14.5.0
oracle	business_activity_monitoring	11.1.1.9.0
oracle	business_activity_monitoring	12.2.1.3.0
oracle	business_activity_monitoring	12.2.1.4.0
oracle	communications_policy_management	12.5.0
oracle	endeca_information_discovery_studio	3.2.0.0
oracle	retail_xstore_point_of_service	16.0.6
oracle	retail_xstore_point_of_service	17.0.4
oracle	retail_xstore_point_of_service	18.0.3
oracle	retail_xstore_point_of_service	19.0.2

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
x-stream	xstream	𝑥 < 1.4.14	CNA

Debian Releases

Debian Product

Codename

libxstream-java

bookworm	1.4.20-1 fixed
bullseye	1.4.15-3+deb11u2 fixed
bullseye (security)	1.4.15-3+deb11u2 fixed
sid	1.4.20-2 fixed
trixie	1.4.20-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

libxstream-java

bionic	Fixed 1.4.11.1-1~18.04.1 released
focal	Fixed 1.4.11.1-1ubuntu0.1 released
groovy	Fixed 1.4.11.1-2ubuntu0.1 released
hirsute	not-affected
impish	not-affected
jammy	not-affected
kinetic	not-affected
lunar	not-affected
mantic	not-affected
noble	not-affected
trusty	Fixed 1.4.7-1ubuntu0.1+esm2 released
xenial	Fixed 1.4.8-1ubuntu0.1+esm3 released

openSUSE / SLES Releases

openSUSE Product

Release

xstream

suse enterprise desktop 15 SP3	1.4.15-3.5.2 fixed
suse enterprise desktop 15 SP4	1.4.15-3.5.2 fixed
suse enterprise desktop 15 SP5	1.4.15-3.5.2 fixed
suse enterprise desktop 15 SP6	1.4.15-3.5.2 fixed
suse enterprise desktop 15 SP7	1.4.15-3.5.2 fixed
suse enterprise sap 15 SP3	1.4.15-3.5.2 fixed
suse enterprise sap 15 SP4	1.4.15-3.5.2 fixed
suse enterprise sap 15 SP5	1.4.15-3.5.2 fixed
suse enterprise sap 15 SP6	1.4.15-3.5.2 fixed
suse enterprise sap 15 SP7	1.4.15-3.5.2 fixed
suse enterprise server 15 SP3	1.4.15-3.5.2 fixed
suse enterprise server 15 SP4	1.4.15-3.5.2 fixed
suse enterprise server 15 SP5	1.4.15-3.5.2 fixed
suse enterprise server 15 SP6	1.4.15-3.5.2 fixed
suse enterprise server 15 SP7	1.4.15-3.5.2 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

xstream

RHEL 7

0:1.3.1-12.el7_9

fixed

xstream-javadoc

RHEL 7

0:1.3.1-12.el7_9

fixed

Known Exploits!

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a

https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E

https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E

https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html

https://security.netapp.com/advisory/ntap-20210409-0004/

https://www.debian.org/security/2020/dsa-4811

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpuoct2021.html

https://x-stream.github.io/CVE-2020-26217.html

https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a

https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E

https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E

https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html

https://security.netapp.com/advisory/ntap-20210409-0004/

https://www.debian.org/security/2020/dsa-4811

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpuoct2021.html

https://x-stream.github.io/CVE-2020-26217.html