PT-2019-4190 · Pear+1 · Pear Archive Tar+1

Ayesh Karunaratne

Published

2019-01-16

Updated

2019-12-02

CVE-2019-6338

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Drupal Core versions 7.x prior to 7.62 Drupal Core versions 8.5.x prior to 8.5.9 Drupal Core versions 8.6.x prior to 8.6.6

Description The issue is related to the PEAR Archive Tar library used by Drupal Core, which has a security update that affects some Drupal configurations. The vulnerability is associated with the restoration of an unreliable data structure in memory, allowing a remote attacker to potentially execute arbitrary code.

Recommendations For Drupal Core version 7.x, update to version 7.62 or later. For Drupal Core version 8.5.x, update to version 8.5.9 or later. For Drupal Core version 8.6.x, update to version 8.6.6 or later.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2019-04786

CVE-2019-6338

DLA-1685-1

DRUPAL-CORE-2019-001

DSA-4370-1

GHSA-6RMQ-X2HV-VXPP

Affected Products

Drupal Core

Pear Archive Tar

PT-2019-4190 · Pear+1 · Pear Archive Tar+1

CVE-2019-6338

Weakness Enumeration

Related Identifiers

Affected Products

References · 14