Remote Code Execution Vulnerability (CVE-2020-26217) in XStream 1.4.13 and Earlier Versions
Nov 18, 2020 GMT+08:00
XStream has officially released the latest version 1.4.14 and disclosed a remote code execution vulnerability (CVE-2020-26217) that affects XStream 1.4.13 and earlier versions. XStream is a Java class library used to serialize objects to XML (JSON) and back again. Attackers can craft malicious XML files that can bypass the default blacklist in an affected XStream version to trigger remote code execution.
If you are an XStream user, check your system and implement timely security hardening.
(Severity: low, moderate, important, and critical)
III. Affected Products
XStream 1.4.13 and earlier versions
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official versions. If your service version falls into the affected range, upgrade it to a latest secure version.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.