CVE-2019-6338 — Deserialization of Untrusted Data in Drupal Core

CWE-502 — Deserialization of Untrusted Data9 documents6 sources

Severity

8.0HIGHNVD

CNA8.8GHSA8.8OSV8.8

EPSS

1.0%

top 22.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal Drupal Core +1 more

Timeline

PublishedJan 22

Latest updateDec 2

Description

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages4 packages

▶Packagistdrupal/core8.0.0 — 8.5.9+1

▶CVEListV5drupal/drupal_core7.x — 7.62+2

▶NVDdrupal/drupal7.0 — 7.62+2

▶Packagistdrupal/drupal7.0.0 — 7.62.0+2

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

GHSA

Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data↗2019-12-02

▶

OSV

Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data↗2019-12-02

▶

OSV

CVE-2019-6338: In Drupal Core versions 7↗2019-01-22

▶

CVEList

third-party PEAR Archive_Tar library updates↗2019-01-22

▶

OSV

CVE-2019-6338: Drupal core uses the third-party PEAR Archive\_Tar library↗2019-01-16

▶

📋Vendor Advisories

Drupal

Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001↗2019-01-16

▶

💬Community

Bugzilla

CVE-2019-6338 CVE-2019-6339 drupal: various flaws [fedora-all]↗2019-01-23

▶

Bugzilla

CVE-2019-6338 drupal: Vulnerability in the embedded PEAR Archive_Tar library↗2019-01-23

▶