cbcvebase.
CVE-2019-6339
published 2019-01-22

CVE-2019-6339: In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar…

PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
33.23%
98.2th percentile
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Affected

15 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
drupalcore>= 7.0.0 < 7.62.07.62.0
drupalcore>= 8.0.0 < 8.5.98.5.9
drupalcore>= 8.6.0 < 8.6.68.6.6
drupaldrupal>= 7.0 < 7.627.62
drupaldrupal>= 7.0.0 < 7.62.07.62.0
drupaldrupal>= 8.0.0 < 8.5.98.5.9
drupaldrupal>= 8.5.0 < 8.5.98.5.9
drupaldrupal>= 8.6.0 < 8.6.68.6.6
drupaldrupal>= 8.6.0 < 8.6.68.6.6
drupaldrupal_core
drupaldrupal_core>= 7.x < 7.627.62
drupaldrupal_core>= 8.5.x < 8.5.98.5.9
drupaldrupal_core>= 8.6.x < 8.6.6.8.6.6.

Detection & IOCsextracted from sources · hover to see the quote

otherphar://
other.phar
  • Monitor for file operations involving untrusted phar:// URIs in Drupal request parameters or file upload fields, which may indicate exploitation attempts.
  • Detect upload of files with .phar extension to Drupal file fields, as these can be used to achieve remote code execution.
  • Exploitation typically requires access to an administrative permission or atypical configuration — prioritize alerting on phar:// usage in admin-accessible code paths.
  • ·Drupal 7 sites on PHP 5.3.2 and earlier cannot use the replacement phar stream wrapper; instead the built-in phar stream wrapper is disabled entirely. Re-enabling it on those versions restores the vulnerable behavior.
  • ·The initial patch (8.6.6, 8.5.9, 7.62) introduced a fatal error for some Drush installations; follow-on releases 8.6.7, 8.5.10, and 7.63 were issued to resolve this regression.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.