|Related CVEs||CVE-2020-26258 CVE-2020-26259|
Several security vulnerabilities were discovered in XStream, a Java library to serialize objects to XML and back again.
XStream is vulnerable to a Server-Side Forgery Request which can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.
Xstream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary known files on the host as long as the executing process has sufficient rights only by manipulating the processed input stream.
For Debian 8 jessie, these problems have been fixed in version 188.8.131.52-1+deb8u1.
We recommend that you upgrade your libxstream-java packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/