9.3
CVE-2020-26217
- EPSS 93.01%
- Published 16.11.2020 21:15:12
- Last modified 23.05.2025 16:54:19
- Source security-advisories@github.com
- Teams watchlist Login
- Open Login
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
Data is provided by the National Vulnerability Database (NVD)
Debian ≫ Debian Linux Version9.0
Debian ≫ Debian Linux Version10.0
Netapp ≫ Snapmanager SwPlatformsap
Netapp ≫ Snapmanager Version- Update- SwPlatformoracle
Oracle ≫ Banking Cash Management Version14.2
Oracle ≫ Banking Cash Management Version14.3
Oracle ≫ Banking Cash Management Version14.5
Oracle ≫ Banking Corporate Lending Process Management Version14.2
Oracle ≫ Banking Corporate Lending Process Management Version14.3
Oracle ≫ Banking Corporate Lending Process Management Version14.5
Oracle ≫ Banking Credit Facilities Process Management Version14.2
Oracle ≫ Banking Credit Facilities Process Management Version14.3
Oracle ≫ Banking Credit Facilities Process Management Version14.5
Oracle ≫ Banking Platform Version2.4.0
Oracle ≫ Banking Platform Version2.7.1
Oracle ≫ Banking Platform Version2.9.0
Oracle ≫ Banking Supply Chain Finance Version14.2
Oracle ≫ Banking Supply Chain Finance Version14.3
Oracle ≫ Banking Supply Chain Finance Version14.5
Oracle ≫ Banking Trade Finance Process Management Version14.2
Oracle ≫ Banking Trade Finance Process Management Version14.3
Oracle ≫ Banking Trade Finance Process Management Version14.5
Oracle ≫ Banking Virtual Account Management Version14.2.0
Oracle ≫ Banking Virtual Account Management Version14.3.0
Oracle ≫ Banking Virtual Account Management Version14.5.0
Oracle ≫ Business Activity Monitoring Version11.1.1.9.0
Oracle ≫ Business Activity Monitoring Version12.2.1.3.0
Oracle ≫ Business Activity Monitoring Version12.2.1.4.0
Oracle ≫ Communications Policy Management Version12.5.0
Oracle ≫ Endeca Information Discovery Studio Version3.2.0.0
Oracle ≫ Retail Xstore Point Of Service Version16.0.6
Oracle ≫ Retail Xstore Point Of Service Version17.0.4
Oracle ≫ Retail Xstore Point Of Service Version18.0.3
Oracle ≫ Retail Xstore Point Of Service Version19.0.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 93.01% | 0.998 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 9.3 | 8.6 | 10 |
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
| security-advisories@github.com | 8 | 1.3 | 6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.