What is CVE-2020-26258?

CVE-2020-26258 is a medium-severity vulnerability in X-stream Xstream, classified under Server-Side Request Forgery (SSRF). CVSS score: 6.3/10. Published 2020-12-16.

How severe is CVE-2020-26258?

Medium severity. CVSS v3 base score is 6.3 out of 10.

Is CVE-2020-26258 known to be exploited?

25 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SSRF in X-stream Xstream

CVE-2020-26258

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to reque…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.937 (99.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N.

Affected products

X-stream Xstream — versions < 1.4.15

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

Public proof-of-concept exploits

References

https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28 (x_refsource_CONFIRM)
https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E (x_refsource_MISC)
https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html (x_refsource_MISC)
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP (x_refsource_MISC)
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7 (x_refsource_MISC)
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB (x_refsource_MISC)
https://security.netapp.com/advisory/ntap-20210409-0005 (x_refsource_MISC)
https://www.debian.org/security/2021/dsa-4828 (x_refsource_MISC)
https://x-stream.github.io/CVE-2020-26258.html (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-26258?: CVE-2020-26258 is a medium-severity vulnerability in X-stream Xstream, classified under Server-Side Request Forgery (SSRF). CVSS score: 6.3/10. Published 2020-12-16.
How severe is CVE-2020-26258?: Medium severity. CVSS v3 base score is 6.3 out of 10.
Is CVE-2020-26258 known to be exploited?: 25 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.