CVE-2020-26217

Published: Nov 16, 2020Modified: May 23, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Affected (37)

Products: Xstream: Xstream · Debian: Debian Linux · Netapp: Snapmanager · +2 more

Show all products

1 product

1 product

1 product

1 product

11 products

Banking Cash Management

Banking Corporate Lending Process Management

Banking Credit Facilities Process Management

Banking Platform

Banking Supply Chain Finance

Banking Trade Finance Process Management

Banking Virtual Account Management

Business Activity Monitoring

Communications Policy Management

Endeca Information Discovery Studio

Retail Xstore Point Of Service

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Xstream Xstream	Before 1.4.14

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Netapp Snapmanager	All versions
Netapp Snapmanager	All versions

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Apache Activemq	Before 5.15.14
Apache Activemq	Version 5.16.0

Configuration E

30 vulnerable

Vulnerable Software	Affected Versions
Oracle Banking Cash Management	Version 14.2
Oracle Banking Cash Management	Version 14.3
Oracle Banking Cash Management	Version 14.5
Oracle Banking Corporate Lending Process Management	Version 14.2
Oracle Banking Corporate Lending Process Management	Version 14.3
Oracle Banking Corporate Lending Process Management	Version 14.5
Oracle Banking Credit Facilities Process Management	Version 14.2
Oracle Banking Credit Facilities Process Management	Version 14.3
Oracle Banking Credit Facilities Process Management	Version 14.5
Oracle Banking Platform	Version 2.4.0
Oracle Banking Platform	Version 2.7.1
Oracle Banking Platform	Version 2.9.0
Oracle Banking Supply Chain Finance	Version 14.2
Oracle Banking Supply Chain Finance	Version 14.3
Oracle Banking Supply Chain Finance	Version 14.5
Oracle Banking Trade Finance Process Management	Version 14.2
Oracle Banking Trade Finance Process Management	Version 14.3
Oracle Banking Trade Finance Process Management	Version 14.5
Oracle Banking Virtual Account Management	Version 14.2.0
Oracle Banking Virtual Account Management	Version 14.3.0
Oracle Banking Virtual Account Management	Version 14.5.0
Oracle Business Activity Monitoring	Version 11.1.1.9.0
Oracle Business Activity Monitoring	Version 12.2.1.3.0
Oracle Business Activity Monitoring	Version 12.2.1.4.0
Oracle Communications Policy Management	Version 12.5.0
Oracle Endeca Information Discovery Studio	Version 3.2.0.0
Oracle Retail Xstore Point Of Service	Version 16.0.6
Oracle Retail Xstore Point Of Service	Version 17.0.4
Oracle Retail Xstore Point Of Service	Version 18.0.3
Oracle Retail Xstore Point Of Service	Version 19.0.2

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.