Lucene search
Veracode Vulnerability DatabaseVERACODE:13261HistoryJan 23, 2019 - 6:38 a.m.
Object Injection
2019-01-2306:38:24
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
8
0.007 Low
EPSS
Percentile
81.0%
drupal/core is vulnerable to object injection. The vulnerability is possible because it does not properly use third-party PEAR Archive_Tar library, leading to a vulnerability similar to CVE-2018-1000888.
| CPE | Name | Operator | Version |
|---|---|---|---|
| drupal/core | le | 8.6.5 | |
| drupal/core | le | 8.5.8 | |
| drupal/drupal | le | 8.6.5 | |
| drupal/drupal | le | 8.5.8 |
References
www.securityfocus.com/bid/106706
github.com/drupal/core/commit/c4996d260040c3886b4a4a762be4e94c1c7c1233
github.com/drupal/core/commit/e9f0aac47f60a0e55ec1971b6d9c6c1194ef1fbd
github.com/drupal/drupal/commit/5ed2a9f0ab5ce8280aebd18f9ee8c3d80cfd3c63
lists.debian.org/debian-lts-announce/2019/02/msg00032.html
www.debian.org/security/2019/dsa-4370
www.drupal.org/sa-core-2019-001
Related
cvelist
cvelist
CVE-2019-6338 third-party PEAR Archive_Tar library updates
2019-01-22 15:00:00
CVE-2018-1000888
2018-12-27 18:00:00
nvd
nvd
CVE-2019-6338
2019-01-22 14:29:00
CVE-2018-1000888
2018-12-28 16:29:01
github
github
cve
cve
CVE-2019-6338
2019-01-22 15:00:00
CVE-2018-1000888
2018-12-28 16:29:01
drupal
drupal
Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001
2019-01-16 00:00:00
debiancve
debiancve
CVE-2019-6338
2019-01-22 14:29:00
CVE-2018-1000888
2018-12-28 16:29:01
osv
osv
CVE-2019-6338
2019-01-22 14:29:00
Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data
2019-12-02 18:11:25
Archive_Tar contains Potential RCE if filename starts with phar://
2023-07-07 13:42:43
ubuntucve
ubuntucve
CVE-2019-6338
2019-01-22 00:00:00
CVE-2018-1000888
2018-12-28 00:00:00
prion
prion
Code injection
2019-01-22 14:29:00
Arbitrary file deletion
2018-12-28 16:29:00
openvas
openvas
Debian: Security Advisory (DLA-1685-1)
2019-02-19 00:00:00
Drupal Multiple Vulnerabilities (SA-CORE-2019-001, SA-CORE-2019-002) - Linux
2019-01-18 00:00:00
nessus
nessus
Drupal 7.x < 7.62 / 8.5.x < 8.5.9 / 8.6.x < 8.6.6 Multiple Vulnerabilities (SA-CORE-2019-001, SA-CORE-2019-002)
2019-01-16 00:00:00
Debian DLA-1685-1 : drupal7 security update
2019-02-20 00:00:00
Debian DSA-4378-1 : php-pear - security update
2019-01-31 00:00:00
debian
debian
[SECURITY] [DLA 1685-1] drupal7 security update
2019-02-20 03:23:28
[SECURITY] [DSA 4378-1] php-pear security update
2019-01-30 15:44:53
[SECURITY] [DSA 4378-1] php-pear security update
2019-01-30 15:44:53
redhatcve
redhatcve
CVE-2018-1000888
2020-01-15 03:35:00
friendsofphp
friendsofphp
Potential RCE if filename starts with phar://
2018-12-20 19:11:37
Potential RCE if filename starts with phar://
2018-12-20 19:11:37
Critical - Third Party Libraries
1970-01-01 00:00:00
ubuntu
ubuntu
PEAR vulnerability
2019-01-14 00:00:00
amazon
amazon
Medium: php-pear
2019-02-13 18:35:00
alpinelinux
alpinelinux
CVE-2018-1000888
2018-12-28 16:29:01
packetstorm
packetstorm
PEAR Archive_Tar PHP Object Injection
2019-01-10 00:00:00
exploitpack
exploitpack
PEAR Archive_Tar 1.4.4 - PHP Object Injection
2019-01-10 00:00:00
gentoo
gentoo
PEAR Archive_Tar: Remote code execution vulnerability
2020-06-15 00:00:00
veracode
veracode
Arbitrary File Deletion
2018-12-31 01:31:32
exploitdb
exploitdb
PEAR Archive_Tar < 1.4.4 - PHP Object Injection
2019-01-10 00:00:00