Synology-SA-19:22 Drupal
Publish Time: 2019-05-10 13:59:40 UTC+8
Last Updated: 2019-11-05 19:07:22 UTC+8
- Severity
- Important
- Status
- Resolved
Abstract
A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Drupal and Drupal8.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| Drupal | Important | Upgrade to 7.67-0131 or above. |
| Drupal8 | Important | Upgrade to 8.6.17-0015 or above. |
Mitigation
None
Detail
- CVE-2019-11831
- Severity: Important
- CVSS3 Base Score: 7.2
- CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
Reference
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2019-05-10 | Initial public release. |
| 2 | 2019-11-05 | Update for Drupal and Drupal8 are now available in Affected Products. |