Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-26258
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Server-Side Forgery Request can be activated unmarshalling with XStream
Source: NVD (National Vulnerability Database)
Vulnerability Description
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
XStream 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
XStream是XStream(Xstream)团队的一个轻量级的、简单易用的开源Java类库,它主要用于将对象序列化成XML(JSON)或反序列化为对象。 XStream 存在代码问题漏洞,该漏洞源于服务器端伪造请求漏洞可以在解组时激活。该漏洞可能允许远程攻击者可利用该漏洞通过操纵已处理的输入流从内部资源请求不能公开使用的数据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
x-streamxstream < 1.4.15 -
II. Public POCs for CVE-2020-26258
#POC DescriptionSource LinkShenlong Link
1CVE-2020-26258 && XStream SSRFhttps://github.com/Al1ex/CVE-2020-26258POC Details
2XStream before 1.4.15 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-26258.yamlPOC Details
3Nonehttps://github.com/Threekiii/Awesome-POC/blob/master/%E5%BC%80%E5%8F%91%E6%A1%86%E6%9E%B6%E6%BC%8F%E6%B4%9E/XStream%20SSRF%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%20CVE-2020-26258.mdPOC Details
4Nonehttps://github.com/cuijiung/xstream-CVE-2020-26258POC Details
5Nonehttps://github.com/andikahilmy/CVE-2020-26258-xstream-vulnerablePOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2020-26258
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: xstream
Same vendor: x-stream
Same weakness: CWE-918
V. Comments for CVE-2020-26258

No comments yet

Leave a comment