How severe is CVE-2020-26258?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.7 out of 10.

What type of vulnerability is CVE-2020-26258?

This is classified as CWE-918, which is a common weakness in software security.

CVE-2020-26258 - HIGH Severity | CVSS 7.7

Vulnerability Description

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

Related Vulnerabilities

CVE-2016-4374

HIGH

CVSS:7.7(High)

HPE Release Control (RC) 9.13, 9.20, and 9.21 before 9.21.0005 p4 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, and consequently obtain sensitive information...

CWE-9182016

CVE-2017-7566

HIGH

CVSS:7.7(High)

MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism.

CWE-9182017

CVE-2018-19571

HIGH

CVSS:7.7(High)

GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.

CWE-9182018

CVE-2019-15033

HIGH

CVSS:7.7(High)

Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as ...

CWE-9182019

CVE-2019-6257

HIGH

CVSS:7.7(High)

A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.46 could allow a malicious user to access the content of internal network resources. This occurs in get_remote_contents() in p...

CWE-9182019

CVE-2019-7652

HIGH

CVSS:7.7(High)

TheHive Project UnshortenLink analyzer before 1.1, included in Cortex-Analyzers before 1.15.2, has SSRF. To exploit the vulnerability, an attacker must create a new analysis, select URL for Data Type,...

CWE-9182019