I. Overview

XStream has officially released the latest version 1.4.14 and disclosed a remote code execution vulnerability (CVE-2020-26217) that affects XStream 1.4.13 and earlier versions. XStream is a Java class library used to serialize objects to XML (JSON) and back again. Attackers can craft malicious XML files that can bypass the default blacklist in an affected XStream version to trigger remote code execution.

If you are an XStream user, check your system and implement timely security hardening.

References:

http://x-stream.github.io/CVE-2020-26217.html

http://x-stream.github.io/news.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

XStream 1.4.13 and earlier versions

Secure version:

XStream 1.4.14

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

http://x-stream.github.io/download.html

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.