CVE-2019-6338 — drupal7 - security update

Description

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details

How to fix CVE-2019-6338

To remediate CVE-2019-6338, upgrade the affected package to a fixed version below.

Debian/drupal7—upgrade to 7.32-1+deb8u15 or later
—upgrade to 7.52-2+deb9u6 or later
—upgrade to 8.5.9 or later
—upgrade to 7.62.0 or later

Is CVE-2019-6338 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 7.32-1+deb8u15
from 0, < 7.52-2+deb9u6
>= 8.0.0, < 8.5.9 | >= 8.6.0, < 8.6.6
>= 7.0.0, < 7.62.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-6338
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6338.yaml
WEBlists.debian.org/debian-lts-announce/2019/02/msg00032.html
WEBwww.debian.org/security/2019/dsa-4370