CVE-2019-6339

Description

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6, and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

How to fix CVE-2019-6339

To remediate CVE-2019-6339, upgrade the affected package to a fixed version below.

• —upgrade to 7.32-1+deb8u14 or later
• —upgrade to 8.5.9 or later
• —upgrade to 7.62.0 or later
• —upgrade to 7.62.0 or later

Is CVE-2019-6339 being exploited?

Likely — EPSS is 76.1%, placing CVE-2019-6339 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (4)

• from 0, < 7.32-1+deb8u14
• >= 8.0.0, < 8.5.9 | >= 8.6.0, < 8.6.6
• >= 7.0.0, < 7.62.0
• >= 7.0.0, < 7.62.0

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-6339
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6339.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6339.yaml
• WEBlists.debian.org/debian-lts-announce/2019/02/msg00004.html