Candidate: CVE-2018-19274
PublicDate: 2018-11-17 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19274
 https://www.phpbb.com/community/viewtopic.php?f=14&t=2492206
Description:
 Passing an absolute path to a file_exists check in phpBB before 3.2.4
 allows Remote Code Execution through Object Injection by employing Phar
 deserialization when an attacker has access to the Admin Control Panel with
 founder permissions.
Ubuntu-Description:
 It was discovered that rkhunter is vulnerable to object injection
 vulnerability. An attacker could use it for remote code execution.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H [7.2 HIGH]


Patches_phpbb3:
upstream_phpbb3: released (3.0.12-5+deb8u2)
precise/esm_phpbb3: DNE
trusty_phpbb3: ignored (reached end-of-life)
trusty/esm_phpbb3: DNE (trusty was needs-triage)
xenial_phpbb3: ignored (end of standard support, was needed)
bionic_phpbb3: DNE
cosmic_phpbb3: DNE
disco_phpbb3: DNE
eoan_phpbb3: DNE
focal_phpbb3: DNE
groovy_phpbb3: DNE
hirsute_phpbb3: DNE
impish_phpbb3: DNE
jammy_phpbb3: DNE
devel_phpbb3: DNE