XStream SSRF漏洞(CVE-2020-26258) CVE-2020-26258

5.0 AV AC AU C I A
发布: 2020-12-16
修订: 2021-11-30

# CVE-2020-26258 ## Vulnerability CVE-2020-26258: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host. ## Affected Versions All versions until and including version 1.4.14 are affected running in a Java environment below Java 15, if using the version out of the box. No user is affected, who followed the recommendation to setup [XStream's security framework](http://x-stream.github.io/security.html#framework) with a whitelist. ## Description The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. ## Steps to Reproduce Create a simple HashMap and use XStream to marshal it to XML. Replace the XML with following...

0%
暂无可用Exp或PoC
当前有6条受影响产品信息