Multiple vulnerabilities in Drupal

Published: 2019-01-16

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2019-6338 CVE-2019-6339
CWE-ID	CWE-264 CWE-20
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Drupal Web applications / CMS
Vendor	Drupal

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Security restrictions bypass

EUVDB-ID: #VU17233

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-6338

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the system.

The vulnerability exists in the Drupal core PEAR Archive_Tar library due to an unsafe object deserialization condition. A remote attacker can submit a specially crafted tar file to bypass security restrictions on the system and conduct further attacks.

Mitigation

The vulnerability has been fixed in the versions 7.62, 8.5.9, 8.6.6.

Vulnerable software versions

Drupal: 7.0 - 8.6.5

External links

http://www.drupal.org/sa-core-2019-001

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU17234

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-6339

CWE-ID: CWE-20 - Improper input validation