CVE-2020-26259 XStream 任意文件删除

# CVE-2020-26259 XStream 任意文件删除

PoC：

“`

XStream xstream = new XStream();
xstream.fromXML(xml);

“`

https://x-stream.github.io/CVE-2020-26259.html

**CVE_2020_26259.java:**

“`java
import com.thoughtworks.xstream.XStream;

/*
CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host
when unmarshalling as long as the executing process has sufficient rights.

https://x-stream.github.io/CVE-2020-26259.html

Security framework of XStream not explicitly initialized, using predefined black list on your own risk.
*/

public class CVE_2020_26259 {
public static void main(String[] args) {
String xml_poc = “

“;

XStream xstream = new XStream();
xstream.fromXML(xml_poc);
}

}
“`