Home > Vulnerability Database > CVE-2019-6339

Mend.io Vulnerability Database

CVE-2019-6339

Date: January 22, 2019

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Language: PHP

Severity Score

9.8

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-6339

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-6339.yaml

Url: https://www.drupal.org/sa-core-2019-002

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-6339.yaml

Url: https://www.debian.org/security/2019/dsa-4370

Url: https://lists.debian.org/debian-lts-announce/2019/02/msg00004.html

Url: https://www.mend.io/vulnerability-database/CVE-2019-6339

Severity Score

9.8

Weakness Type (CWE)

Improper Input Validation

CWE-20

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-6339

Date: January 22, 2019

Language: PHP

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?