CVE-2019-6339

EUVD-2022-0526

22.01.2019, 15:29

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 98%

Affected Products (NVD)

Vendor	Product	Version
drupal	drupal	7.0 ≤ 𝑥 < 7.62
drupal	drupal	8.5.0 ≤ 𝑥 < 8.5.9
drupal	drupal	8.6.0 ≤ 𝑥 < 8.6.6
debian	debian_linux	8.0
debian	debian_linux	9.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

drupal7

bionic	dne
cosmic	dne
disco	dne
eoan	dne
focal	dne
groovy	dne
hirsute	dne
impish	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
trusty	needed
xenial	needed

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html

https://www.debian.org/security/2019/dsa-4370

https://www.drupal.org/sa-core-2019-002

https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html

https://www.debian.org/security/2019/dsa-4370

https://www.drupal.org/sa-core-2019-002