Multiple vulnerabilities in XStream

Published: 2020-12-16

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2020-26259 CVE-2020-26258
CWE-ID	CWE-20 CWE-918
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available.
Vulnerable software Subscribe	xstream Universal components / Libraries / Libraries used by multiple products
Vendor	XStream

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU49040

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-26259

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to delete arbitrary files on the system.

The vulnerability exists due to insufficient validation of user-supplied input within the blacklisting feature. A remote attacker can pass specially crafted input to the application and delete arbitrary files on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

xstream: 1.4.1 - 1.4.14

External links

http://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh
http://x-stream.github.io/CVE-2020-26259.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU49041

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-26258

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)