VDB

CVE-2019-6339

CVE-2019-6339 PUBLISHED

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

EPSS 76.09% · 98.9th percentile

Risk Scores

EPSS Score
76.09%
98.9th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:16.04:LTSdrupal70, 7.38-1, 7.41-1
Ubuntu:Pro:14.04:LTSdrupal77.26-1ubuntu0.1+esm3, 0, *

Exploit Intelligence

…and 8 more exploits

Timeline

  • Jan 16, 2019 CVE Published
  • Oct 9, 2019 CVE Updated
  • Apr 14, 2021 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Jan 16, 2024 EPSS Score
  • Jul 24, 2024 EPSS Score
  • Aug 17, 2024 EPSS Score
  • Dec 17, 2024 EPSS Score
  • Mar 17, 2025 EPSS Score
  • Mar 19, 2025 EPSS Score
  • Mar 28, 2025 EPSS Score
  • Mar 30, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›