ASA-2019-00015 – Drupal: Arbitrary PHP code execution

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00015

Identifier(s)

ASA-2019-00015, SA-CORE-2019-002, CVE-2019-6339

Title

Arbitrary PHP code execution

Vendor(s)

Drupal Association

Product(s)

Drupal

Affected version(s)

Drupal 8.6.x before 8.6.6
Drupal 8.5.x before 8.5.9
Drupal 7.x before 7.62

Fixed version(s)

Drupal 8.6.6
Drupal 8.5.9
Drupal 7.62

Proof of concept

Unknown

Description

A remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

Technical details

Unknown

Credits

Greg Knaddison (Drupal Security Team)

Reference(s)

Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2019-002
https://www.drupal.org/sa-core-2019-002

CVE-2019-6339
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6339

CVE-2019-6339
https://nvd.nist.gov/vuln/detail/CVE-2019-6339

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.