Allele Security Alert
ASA-2019-00015
Identifier(s)
ASA-2019-00015, SA-CORE-2019-002, CVE-2019-6339
Title
Arbitrary PHP code execution
Vendor(s)
Drupal Association
Product(s)
Drupal
Affected version(s)
Drupal 8.6.x before 8.6.6
Drupal 8.5.x before 8.5.9
Drupal 7.x before 7.62
Fixed version(s)
Drupal 8.6.6
Drupal 8.5.9
Drupal 7.62
Proof of concept
Unknown
Description
A remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.
Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.
Technical details
Unknown
Credits
Greg Knaddison (Drupal Security Team)
Reference(s)
Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2019-002
https://www.drupal.org/sa-core-2019-002
CVE-2019-6339
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6339
CVE-2019-6339
https://nvd.nist.gov/vuln/detail/CVE-2019-6339
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019