Lucene search

FreeBSD9B8A52FC-89C1-11E9-9BA0-4C72B94353B5

HistoryMay 08, 2019 - 12:00 a.m.

drupal -- Drupal core - Moderately critical

2019-05-0800:00:00

vuxml.freebsd.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.027 Low

EPSS

Percentile

90.4%

JSON

Drupal Security Team reports:

CVE-2019-11831: By-passing protection of Phar Stream Wrapper Interceptor.
In order to intercept file invocations like file_exists or stat on compromised Phar archives
the base name has to be determined and checked before allowing to be handled by PHP
Phar stream handling.
The current implementation is vulnerable to path traversal leading to scenarios where the
Phar archive to be assessed is not the actual (compromised) file.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchdrupal7< 7.67UNKNOWN
FreeBSDanynoarchdrupal8< 8.7.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	drupal7	< 7.67	UNKNOWN
FreeBSD	any	noarch	drupal8	< 8.7.1	UNKNOWN

References

www.drupal.org/SA-CORE-2019-007

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.027 Low

EPSS

Percentile

90.4%

JSON

Related for 9B8A52FC-89C1-11E9-9BA0-4C72B94353B5