[CIRC-1086] xstream 1.4.15 fixing Arbitrary File Deletion vulnerability (CVE-2020-26259) - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: TBD
Resolution: Done
Affects Version/s: 19.2.8
Fix Version/s: 20.0.0
Labels:
- security

Template:

Standard Bug Write-Up Format
Story Points:
0.5
Development Team:
None

Description

Overview:

XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.

All versions until and including version 1.4.14 are affected running in a Java environment containing the JAX-WS runtime, if using the version out of the box.

Details: https://x-stream.github.io/CVE-2020-26259.html

Fix:

Update the XStream version from 1.4.14 to 1.4.15.

TestRail: Results

Attachments

Activity

People

Assignee:: Julian Ladisch

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 16/Feb/21 2:59 PM

Updated:: 12/Mar/21 11:18 AM

Resolved:: 18/Feb/21 11:11 AM

xstream 1.4.15 fixing Arbitrary File Deletion vulnerability (CVE-2020-26259)