CVE-2020-26258
Server-Side Request Forgery vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2020-26258 About?
This is a Server-Side Request Forgery (SSRF) vulnerability in XStream, allowing remote attackers to request data from internal resources. It can lead to information disclosure or further attacks. Exploitation is relatively easy by manipulating the input stream.
Affected Software
Technical Details
The vulnerability allows a remote attacker to initiate requests from the server to arbitrary internal or external network locations by manipulating the processed input stream. This is a Server-Side Request Forgery (SSRF) flaw, where the XStream library, when deserializing a crafted input, can be coerced into making HTTP requests or other network connections from the server where it's running. The attacker achieves this by embedding specific references or structures within the XML/JSON input that XStream processes, which then resolve to internal URLs or resources accessible only from the server's network. This bypasses typical perimeter defenses and allows access to resources not publicly available. This vulnerability can be prevented by whitelisting allowed types within XStream's security framework, as the default blacklist is insufficient to block the malicious types that trigger the SSRF.
What is the Impact of CVE-2020-26258?
Successful exploitation may allow attackers to disclose sensitive information from internal networks, access internal services, bypass firewalls, and potentially launch further attacks.
What is the Exploitability of CVE-2020-26258?
Exploitation is of medium complexity, primarily requiring the ability for a remote attacker to send crafted input to the XStream library. There are no authentication or specific privilege requirements, making it accessible to any remote attacker who can interact with the application. The system needs to be processing input via XStream. The vulnerability is remote. Risk factors that increase exploitation likelihood include reliance on the default blacklist of XStream's Security Framework rather than implementing a restrictive whitelist, or running on Java versions older than 15. The attacker needs to identify which types can be used to trigger the SSRF.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Al1ex | Link | CVE-2020-26258 && XStream SSRF |
| cuijiung | Link | PoC for CVE-2020-26258 |
What are the Available Fixes for CVE-2020-26258?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.15 → Upgrade to 1.4.15
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB
- https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://osv.dev/vulnerability/GHSA-4cch-wxpw-8p28
- https://x-stream.github.io/CVE-2020-26258.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP
What are Similar Vulnerabilities to CVE-2020-26258?
Similar Vulnerabilities: CVE-2021-21348 , CVE-2020-26259 , CVE-2021-21347 , CVE-2021-21350 , CVE-2021-43297
