CVE-2020-26259
Arbitrary File Deletion vulnerability in com.thoughtworks.xstream:xstream
What is CVE-2020-26259 About?
This vulnerability allows a remote attacker to delete arbitrary files on the host system by manipulating the processed input stream of XStream. The impact is limited to files that the executing process has sufficient rights to delete. Exploitation is possible if the application relies on XStream's default blacklist and a specific JAX-WS runtime is on the classpath.
Affected Software
Technical Details
The vulnerability in XStream allows for arbitrary file deletion due to an insecure deserialization flaw when combined with a JAX-WS runtime on the classpath. An attacker can manipulate the input stream processed by XStream to construct an object graph that, upon deserialization, triggers a file deletion operation. Specifically, the flaw relates to the handling of specific types like `jdk.nashorn.internal.objects.NativeString` or `.*\.ReadAllStream\$FileStream` which, if not properly restricted via a whitelist, can be leveraged to interact with the file system. By crafting a malicious XML or JSON input, an attacker can specify a file path that the XStream process will then attempt to delete, provided it has the necessary file system permissions.
What is the Impact of CVE-2020-26259?
Successful exploitation may allow attackers to delete arbitrary files, leading to denial of service, data loss, or system instability.
What is the Exploitability of CVE-2020-26259?
Exploitation depends on the XStream configuration; specifically, if it relies on its default blacklist for the Security Framework instead of a recommended whitelist, and if a JAX-WS runtime is present on the classpath. This is a remote attack, requiring the attacker to manipulate the input stream that XStream processes. No specific authentication or privilege is required beyond the ability to send a malicious input stream to the application utilizing XStream. The exploitability complexity is moderate due to the need for specific classpath dependencies and XStream configuration. Applications processing untrusted input streams are at significantly higher risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| jas502n | Link | CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights. |
| Al1ex | Link | CVE-2020-26259 &&XStream Arbitrary File Delete |
| cuijiung | Link | PoC for CVE-2020-26259 |
What are the Available Fixes for CVE-2020-26259?
Available Upgrade Options
- com.thoughtworks.xstream:xstream
- <1.4.15 → Upgrade to 1.4.15
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/
- https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html
- https://x-stream.github.io/CVE-2020-26259.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/
- https://github.com/x-stream/xstream
- https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E
- https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh
- https://security.netapp.com/advisory/ntap-20210409-0005
- https://osv.dev/vulnerability/GHSA-jfvx-7wrx-43fh
- https://www.debian.org/security/2021/dsa-4828
What are Similar Vulnerabilities to CVE-2020-26259?
Similar Vulnerabilities: CVE-2021-39144 , CVE-2020-26258 , CVE-2017-7957 , CVE-2016-3674 , CVE-2014-0099
