Allele Security Alert
ASA-2019-00014
Identifier(s)
ASA-2019-00014, SA-CORE-2019-001, CVE-2019-6338
Title
Remote code execution through phar:// file in Archive_Tar package
Vendor(s)
Drupal Association
Product(s)
Drupal
Affected version(s)
Drupal 8.6.x before 8.6.6
Drupal 8.5.x before 8.5.9
Drupal 7.x before 7.62
Fixed version(s)
Drupal 8.6.6
Drupal 8.5.9
Drupal 7.62
Proof of concept
Unknown
Description
Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations.
Technical details
Unknown
Credits
Ayesh Karunaratne, farisv
Reference(s)
Drupal core – Critical – Third Party Libraries – SA-CORE-2019-001
https://www.drupal.org/sa-core-2019-001
Bug #23782 Prevent phar:// files from being extracted
https://pear.php.net/bugs/bug.php?id=23782
Security Vulnerability Announcement: Archive_Tar
http://blog.pear.php.net/2018/12/20/security-vulnerability-announcement-archive_tar/
CVE-2018-1000888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000888
CVE-2018-1000888
https://nvd.nist.gov/vuln/detail/CVE-2018-1000888
CVE-2019-6338
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6338
CVE-2019-6338
https://nvd.nist.gov/vuln/detail/CVE-2019-6338
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019