ASA-2019-00014 – Drupal: Remote code execution through phar:// file in Archive_Tar package

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00014

Identifier(s)

ASA-2019-00014, SA-CORE-2019-001, CVE-2019-6338

Title

Remote code execution through phar:// file in Archive_Tar package

Vendor(s)

Drupal Association

Product(s)

Drupal

Affected version(s)

Drupal 8.6.x before 8.6.6
Drupal 8.5.x before 8.5.9
Drupal 7.x before 7.62

Fixed version(s)

Drupal 8.6.6
Drupal 8.5.9
Drupal 7.62

Proof of concept

Unknown

Description

Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations.

Technical details

Unknown

Credits

Ayesh Karunaratne, farisv

Reference(s)

Drupal core – Critical – Third Party Libraries – SA-CORE-2019-001
https://www.drupal.org/sa-core-2019-001

Bug #23782 Prevent phar:// files from being extracted
https://pear.php.net/bugs/bug.php?id=23782

Security Vulnerability Announcement: Archive_Tar
http://blog.pear.php.net/2018/12/20/security-vulnerability-announcement-archive_tar/

CVE-2018-1000888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000888

CVE-2018-1000888
https://nvd.nist.gov/vuln/detail/CVE-2018-1000888

CVE-2019-6338
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6338

CVE-2019-6338
https://nvd.nist.gov/vuln/detail/CVE-2019-6338

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.