Synology-SA-19:22 Drupal

Publish Time: 2019-05-10 13:59:40 UTC+8

Last Updated: 2019-11-05 19:07:22 UTC+8

Severity
Important
Status
Resolved

Abstract

A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Drupal and Drupal8.

Affected Products

Product Severity Fixed Release Availability
Drupal Important Upgrade to 7.67-0131 or above.
Drupal8 Important Upgrade to 8.6.17-0015 or above.

Mitigation

None

Detail

  • CVE-2019-11831
    • Severity: Important
    • CVSS3 Base Score: 7.2
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    • The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

Reference

Revision

Revision Date Description
1 2019-05-10 Initial public release.
2 2019-11-05 Update for Drupal and Drupal8 are now available in Affected Products.