|
| Description: | | In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. |
|
| Impact: | | A remote attacker could exploit this vulnerability by sending a crafted HTTP request to the target application. Successful exploitation of this vulnerability could result in arbitrary code execution under the security context of the web server. |
|
| Affected OS: | | Windows, Linux, FreeBSD, Solaris, Other Unix, Network Device, Mac OS, iOS, Android, Others |
|
| Reference: | | https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html
https://www.debian.org/security/2019/dsa-4370
https://www.drupal.org/sa-core-2019-002
|
|