SL150 - CVE-2020-26259, Deserialization Vulnerability That Attackers Can Send Serialized Data to the Target Server
(Doc ID 2760993.1)
Last updated on JULY 25, 2022
Applies to:StorageTek SL150 Modular Tape Library - Version All Versions and later
Information in this document applies to any platform.
XStream has a deserialization vulnerability that attackers can send serialized data to the target server by serializing a materialized object, and any file deletion vulnerability can be caused in the background when deserializing serialized data.
Services running XStream construct specific XML/JSON requests when processing deserialized data, which can cause service-side requests to be forged (CVE-2020-26258).
XStream <= 1.4.14
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document