BID:106706

Drupal CVE-2019-6338 PHP Object Injection Vulnerability

CVE-2019-6338 |

Info

Drupal CVE-2019-6338 PHP Object Injection Vulnerability

Bugtraq ID:	106706
Class:	Input Validation Error
CVE:	CVE-2019-6338
Remote:	Yes
Local:	No
Published:	Jan 16 2019 12:00AM
Updated:	Jan 16 2019 12:00AM
Credit:	Ayesh Karunaratne and farisv.
Vulnerable:	Drupal Drupal 8.6.5 Drupal Drupal 8.6.4 Drupal Drupal 8.6.3 Drupal Drupal 8.6.2 Drupal Drupal 8.6.1 Drupal Drupal 8.5.8 Drupal Drupal 8.5.7 Drupal Drupal 8.5.6 Drupal Drupal 8.5.3 Drupal Drupal 8.5.2 Drupal Drupal 8.5.1 Drupal Drupal 8.5 Drupal Drupal 7.9 Drupal Drupal 7.8 Drupal Drupal 7.6 Drupal Drupal 7.59 Drupal Drupal 7.58 Drupal Drupal 7.57 Drupal Drupal 7.56 Drupal Drupal 7.55 Drupal Drupal 7.54 Drupal Drupal 7.52 Drupal Drupal 7.5 Drupal Drupal 7.44 Drupal Drupal 7.43 Drupal Drupal 7.42 Drupal Drupal 7.41 Drupal Drupal 7.40 Drupal Drupal 7.4 Drupal Drupal 7.39 Drupal Drupal 7.38 Drupal Drupal 7.37 Drupal Drupal 7.36 Drupal Drupal 7.35 Drupal Drupal 7.34 Drupal Drupal 7.33 Drupal Drupal 7.32 Drupal Drupal 7.31 Drupal Drupal 7.30 Drupal Drupal 7.3 Drupal Drupal 7.29 Drupal Drupal 7.28 Drupal Drupal 7.27 Drupal Drupal 7.26 Drupal Drupal 7.25 Drupal Drupal 7.24 Drupal Drupal 7.23 Drupal Drupal 7.22 Drupal Drupal 7.21 Drupal Drupal 7.20 Drupal Drupal 7.2 Drupal Drupal 7.19 Drupal Drupal 7.18 Drupal Drupal 7.17 Drupal Drupal 7.16 Drupal Drupal 7.15 Drupal Drupal 7.14 Drupal Drupal 7.13 Drupal Drupal 7.12 Drupal Drupal 7.11 Drupal Drupal 7.10

Not Vulnerable:	Drupal Drupal 8.6.6 Drupal Drupal 8.5.9 Drupal Drupal 7.62

Discussion

Drupal CVE-2019-6338 PHP Object Injection Vulnerability

Drupal is prone to a remote PHP object-injection vulnerability.

Attackers can exploit this issue to inject arbitrary object in to the application to delete files, view files and execute local script code and to access or modify data, or execute arbitrary PHP code through specially crafted serialized objects.

Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9 are vulnerable.

Exploit / POC

Drupal CVE-2019-6338 PHP Object Injection Vulnerability

The researcher who discovered this issue has created a proof-of-concept. Please see the references for more information.

Solution / Fix

Drupal CVE-2019-6338 PHP Object Injection Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

Drupal CVE-2019-6338 PHP Object Injection Vulnerability

References:

Drupal Homepage (Drupal)
Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001 (Drupal)