vulnerability
FreeBSD: VID-9B8A52FC-89C1-11E9-9BA0-4C72B94353B5: drupal -- Drupal core - Moderately critical
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:N/C:C/I:C/A:N) | 2019-05-08 | 2019-06-08 | 2025-02-19 |
Severity
9
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:N)
Published
2019-05-08
Added
2019-06-08
Modified
2025-02-19
Description
Drupal Security Team reports:
CVE-2019-11831: By-passing protection of Phar Stream Wrapper Interceptor.
In order to intercept file invocations like file_exists or stat on compromised Phar archives
the base name has to be determined and checked before allowing to be handled by PHP
Phar stream handling.
The current implementation is vulnerable to path traversal leading to scenarios where the
Phar archive to be assessed is not the actual (compromised) file.
Solution(s)
freebsd-upgrade-package-drupal7freebsd-upgrade-package-drupal8
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.