SL150 - CVE-2020-26259, Deserialization Vulnerability That Attackers Can Send Serialized Data to the Target Server
(Doc ID 2760993.1)
Last updated on JULY 25, 2022
Applies to:
StorageTek SL150 Modular Tape Library - Version All Versions and laterInformation in this document applies to any platform.
Symptoms
XStream has a deserialization vulnerability that attackers can send serialized data to the target server by serializing a materialized object, and any file deletion vulnerability can be caused in the background when deserializing serialized data.
Services running XStream construct specific XML/JSON requests when processing deserialized data, which can cause service-side requests to be forged (CVE-2020-26258).
【vulnerability Number】
CVE-2020-26259
CVE-2020-26258
【Affected version】
XStream <= 1.4.14
【Unaffected version】
XStream 1.4.15
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |