drupal/core is vulnerable to object injection. The vulnerability is possible because it does not properly use third-party PEAR Archive_Tar library, leading to a vulnerability similar to CVE-2018-1000888.
CPE | Name | Operator | Version |
---|---|---|---|
drupal/core | le | 8.6.5 | |
drupal/core | le | 8.5.8 | |
drupal/drupal | le | 8.6.5 | |
drupal/drupal | le | 8.5.8 |
www.securityfocus.com/bid/106706
github.com/drupal/core/commit/c4996d260040c3886b4a4a762be4e94c1c7c1233
github.com/drupal/core/commit/e9f0aac47f60a0e55ec1971b6d9c6c1194ef1fbd
github.com/drupal/drupal/commit/5ed2a9f0ab5ce8280aebd18f9ee8c3d80cfd3c63
lists.debian.org/debian-lts-announce/2019/02/msg00032.html
www.debian.org/security/2019/dsa-4370
www.drupal.org/sa-core-2019-001