CVE-2019-6339Improper Input Validation in Drupal Core

CWE-20Improper Input Validation9 documents6 sources
Severity
9.8CRITICALNVD
EPSS
76.1%
top 1.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Drupal CoreDrupalDrupal Core+1 more
Timeline
PublishedJan 22
Latest updateJan 6

Description

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an admini

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

Packagistdrupal/core7.0.07.62.0+2
CVEListV5drupal/drupal_core7.x7.62+2
NVDdrupal/drupal7.07.62+2
Packagistdrupal/drupal7.0.07.62.0+2

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: www.drupal.orgPatch: www.drupal.org

🔴Vulnerability Details

5
GHSA
Arbitrary PHP code execution in Drupal2022-01-06
OSV
Arbitrary PHP code execution in Drupal2022-01-06
CVEList
PHAR stream wrapper Arbitrary PHP code execution2019-01-22
OSV
CVE-2019-6339: In Drupal Core versions 72019-01-22
OSV
CVE-2019-6339: A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI2019-01-16

📋Vendor Advisories

1
Drupal
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2019-0022019-01-16

💬Community

2
Bugzilla
CVE-2019-6338 CVE-2019-6339 drupal: various flaws [fedora-all]2019-01-23
Bugzilla
CVE-2019-6339 drupal: Vulnerability in the PHP's built-in phar stream wrapper2019-01-23
CVE-2019-6339 — Improper Input Validation in Drupal | cvebase