Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-014

HistoryJan 30, 2013 - 12:00 a.m.

SA-CONTRIB-2013-014 - Drush Debian Packaging - Information Disclosure - Unsupported

2013-01-3000:00:00

Drupal Security Team

www.drupal.org

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

This package is a tool to build debian packages from a Drupal instance.

The module doesn’t sufficiently protect database credentials.

This vulnerability is mitigated by the fact that an attacker must have shell access to the server.

CVE identifier(s) issued

CVE-2013-0260

Versions affected

All versions.

Drupal core is not affected. If you do not use the contributed Drush Debian Packaging module, there is nothing you need to do.

Solution

Uninstall the package.

Also see the Drush Debian Packaging project page.

Reported by

jiri-catalyst

Fixed by

Not applicable.

Coordinated by

Greg Knaddison of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/debuild

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/2322458

drupal.org/user/36762

drupal.org/writing-secure-code

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2013-014