Vulnerability Details : CVE-2019-6338
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details
Products affected by CVE-2019-6338
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-6338
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-6338
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST | |
N/A
|
NONE | CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N |
0.1
|
N/A
|
Drupal.org | |
8.0
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
2.1
|
5.9
|
NIST |
CWE ids for CVE-2019-6338
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-6338
-
https://lists.debian.org/debian-lts-announce/2019/02/msg00032.html
[SECURITY] [DLA 1685-1] drupal7 security updateMailing List;Third Party Advisory
-
https://www.drupal.org/sa-core-2019-001
Access to this page has been denied.Patch;Vendor Advisory
-
http://www.securityfocus.com/bid/106706
Drupal CVE-2019-6338 PHP Object Injection VulnerabilityThird Party Advisory
-
https://www.debian.org/security/2019/dsa-4370
Debian -- Security Information -- DSA-4370-1 drupal7Third Party Advisory
Jump to