DRUPAL-CORE-2019-007

DRUPAL-CORE-2019-007 PUBLISHED CVSS 9.300000190734863 CRITICAL

This security release fixes third-party dependencies included in or required by Drupal core. As described in [TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor](https://typo3.org/security/advisory/typo3-psa-2019-007/): > In order to intercept file invocations like file\_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. [...] > > The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file. The known vulnerability in Drupal core requires the "administer themes" permission. However, additional vulnerabilities may exist in contributed or custom modules, so site should still update even if they do not grant this permission.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
drupal	core	8.1.1, 8.7.0, 8.0.0

Timeline

May 8, 2019 CVE Published
Dec 10, 2025 CVE Updated

References

https://www.drupal.org/sa-core-2019-007 url

Open in Interactive Console →