Detections
Analytics
Drupal 7.x < 7.67 / 8.6.x < 8.6.16 / 8.7.x < 8.7.1 (SA-CORE-2019-007)
critical Nessus Network Monitor Plugin ID 700664
Synopsis
A PHP application running on the remote web server is affected by a path traversal vulnerability.Description
According to its self-reported version, the instance of Drupal running on the remote web server is 7.0.x prior to 7.67, 8.6.x prior to 8.6.x, or 8.7.x prior to 8.7.1. It is, therefore, affected by a path traversal vulnerability. This security release fixes third-party dependencies included in or required by Drupal core.As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor: In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.
Solution
Upgrade to Drupal 8.7.1, or later. If 8.7.x cannot be obtained, 8.6.16 and 7.67 have also been patched for this vulnerability.See Also
https://www.drupal.org/sa-core-2019-007
https://typo3.org/security/advisory/typo3-psa-2019-007/
https://www.drupal.org/project/drupal/releases/7.67
Plugin Details
Severity: Critical
ID: 700664
Family: CGI
Published: 5/8/2019
Updated: 5/13/2019
Nessus ID: 124698
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:drupal:drupal
Patch Publication Date: 5/8/2019
Vulnerability Publication Date: 5/8/2019
Reference Information
CVE: CVE-2019-11831
BID: 108302