Lucene search

K
ubuntucveUbuntu.comUB:CVE-2019-6340
HistoryFeb 21, 2019 - 12:00 a.m.

CVE-2019-6340

2019-02-2100:00:00
ubuntu.com
ubuntu.com
9

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

Some field types do not properly sanitize data from non-form sources in
Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to
arbitrary PHP code execution in some cases. A site is only affected by this
if one of the following conditions is met: The site has the Drupal 8 core
RESTful Web Services (rest) module enabled and allows PATCH or POST
requests, or the site has another web services module enabled, like
JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
(Note: The Drupal 7 Services module itself does not require an update at
this time, but you should apply other contributed updates associated with
this advisory if Services is in use.)

Notes

Author Note
mdeslaur drupal 7 not affected per Debian

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%