CVE-2019-6339

high-risk

Published 2019-01-22

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Do I need to act?

76.1% chance of exploitation in next 30 days

EPSS score — higher than 24% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (3)

Drupal

Debian Linux

Affected Vendors

Debian Drupal

References (6)

Third Party Advisory https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html

Third Party Advisory https://www.debian.org/security/2019/dsa-4370

Patch https://www.drupal.org/sa-core-2019-002

Third Party Advisory https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html

Third Party Advisory https://www.debian.org/security/2019/dsa-4370

Patch https://www.drupal.org/sa-core-2019-002

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 20/34 · Moderate

Exposure 9/34 · Low