DRUPAL-CORE-2019-002

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2019-002.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CORE-2019-002
Aliases
Published
2019-01-16T17:17:12Z
Modified
2025-12-10T23:41:22.974426Z
Summary
[none]
Details

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI.

Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability.

This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

References
Credits

Affected packages

Packagist / drupal/core

Package

Name
drupal/core
Purl
pkg:composer/drupal/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.5.9
Database specific 
{
    "constraint": ">= 8.0.0 <8.5.9"
}
Type
ECOSYSTEM
Events
Introduced
8.6.0
Fixed
8.6.6
Database specific 
{
    "constraint": ">=8.6.0 <8.6.6"
}

Affected versions

8.*

8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
8.1.0-beta1
8.1.0-beta2
8.1.0-rc1
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.1.7
8.1.8
8.1.9
8.1.10
8.2.0-beta1
8.2.0-beta2
8.2.0-beta3
8.2.0-rc1
8.2.0-rc2
8.2.0
8.2.1
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7
8.2.8
8.3.0-alpha1
8.3.0-beta1
8.3.0-rc1
8.3.0-rc2
8.3.0
8.3.1
8.3.2
8.3.3
8.3.4
8.3.5
8.3.6
8.3.7
8.3.8
8.3.9
8.4.0-alpha1
8.4.0-beta1
8.4.0-rc1
8.4.0-rc2
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6
8.4.7
8.4.8
8.5.0-alpha1
8.5.0-beta1
8.5.0-rc1
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.7
8.5.8
8.6.0
8.6.1
8.6.2
8.6.3
8.6.4
8.6.5

Database specific

affected_versions

">=7.0 <7.62 || >= 8.0.0 <8.5.9 || >=8.6.0 <8.6.6"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2019-002.json"