{"id":"CVE-2020-26217","details":"XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.","aliases":["BIT-activemq-2020-26217","GHSA-mw36-7c6c-q4q2"],"modified":"2026-05-11T05:25:03.313593Z","published":"2020-11-16T21:15:12.893Z","related":["SUSE-SU-2021:0176-1","SUSE-SU-2021:0906-1","openSUSE-SU-2021:0140-1","openSUSE-SU-2024:10592-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"fixed":"5.15.14"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"5.16.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:activemq:5.16.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_cash_management:14.2:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_cash_management:14.3:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.5"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_cash_management:14.5:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.5"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.5"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"2.4.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"2.7.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"2.9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_supply_chain_finance:14.2:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_supply_chain_finance:14.3:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.5"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.5"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.2.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.3.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"14.5.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"11.1.1.9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:business_activity_monitoring:11.1.1.9.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"12.2.1.3.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.3.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"12.2.1.4.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"12.5.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"3.2.0.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"16.0.6"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"17.0.4"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"18.0.3"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"19.0.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"10.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"}]},"references":[{"type":"ADVISORY","url":"https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210409-0004/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4811"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e%40%3Cissues.activemq.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9%40%3Ccommits.camel.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c%40%3Cissues.activemq.apache.org%3E"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3%40%3Cissues.activemq.apache.org%3E"},{"type":"FIX","url":"https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"EVIDENCE","url":"https://x-stream.github.io/CVE-2020-26217.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/x-stream/xstream","events":[{"introduced":"0"},{"fixed":"b9f6f5924681f1d37484df4197712bb768f7ec44"},{"fixed":"0fec095d534126931c99fd38e9c6d41f5c685c1a"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.4.14"}],"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:*"}}],"versions":["XSTREAM_1_4_10","XSTREAM_1_4_11","XSTREAM_1_4_11_1","XSTREAM_1_4_12","XSTREAM_1_4_13","XSTREAM_1_4_5","XSTREAM_1_4_9"],"database_specific":{"vanir_signatures":[{"target":{"file":"xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java"},"digest":{"threshold":0.9,"line_hashes":["36534078420505951630932717155066595606","167712592239746094751306022918018252816","317644733730249586699082543719012497198","147882892005919619167157629845016475938","310112206937186273496457350593858618322","212400998281365619402932426753096858535","98561082973858442458491193662279704329","140566921675937823121313754377213541683","55865721030239104668089207709746320035","226613955031940672379347694521770861245","224905054078361424294810803415096163072","304917238615893824511506291964377504692","95782208176028131388695258941550121531","28837992903177281865669434989913590989","199170493253428971075703026859805881887","37525357282441523443603245142652431206","145645811809558746125356472534965652414","46124708426586695108529983063240272933","13235285845647794166604326647201940192","194282790036325872265619217445543145245","57524199966063753519088560374134026781","302590889855058786938212722740100797184","287878836132345066373988020348693799345","55388299779160129076428276823673824851","79370552315750212097527417749468495751","58609552586332135734337986950425982652","274080513672262428135865176899633804291","140977745494268924825685328415719490273","284467441441206600708256211807478500031","304917238615893824511506291964377504692","95782208176028131388695258941550121531","28837992903177281865669434989913590989","199170493253428971075703026859805881887","37525357282441523443603245142652431206","145645811809558746125356472534965652414","46124708426586695108529983063240272933","330110021267849494055473811230632102184","276200769093194371420971142739798509370","95737149966117525507760249364270862720","263867514275934896738377568056758027090","48714228442327568100662768598747861880","212494145970732734032500827369388649428","182912325341326383473301608361159179741","88593924387143450924616786494852175367","151438248137756327111752360344123826640","248025821406173234794988814544699774100","309803324023024585825355197780470987251","315797621103349978137933836505191930530","82548540201317005602749919447493015094","270863949685038507274853685123980255028","171405365791934743455499209126098513808","244766781187162628268875854624811336252","166730865668170713317511943055644070483","292822050563300496692888095507552767585","63366177943000962629953594979726051287","268325377609045880961180859203858421206","253171137548256272141904701683387644168","262245883024142785000301742972088682103"]},"id":"CVE-2020-26217-62fc4d1d","signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"},{"target":{"file":"xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java","function":"testExplicitlyConvertEventHandler"},"digest":{"length":736,"function_hash":"135430061935714785873177556993178862123"},"id":"CVE-2020-26217-7ccf807b","signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"},{"target":{"file":"xstream/src/java/com/thoughtworks/xstream/XStream.java","function":"setupSecurity"},"digest":{"length":291,"function_hash":"86372899673399638265050073566564126629"},"id":"CVE-2020-26217-fda9c622","signature_version":"v1","signature_type":"Function","deprecated":false,"source":"https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"},{"target":{"file":"xstream/src/java/com/thoughtworks/xstream/XStream.java"},"digest":{"threshold":0.9,"line_hashes":["288917004095477301317786229564296666322","260891975351421313936228542580575721897","182758980270881807918382145153527672156","222093423178369917819573038757702447017"]},"id":"CVE-2020-26217-fdcfa9c0","signature_version":"v1","signature_type":"Line","deprecated":false,"source":"https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"}],"vanir_signatures_modified":"2026-05-11T05:25:03Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26217.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}