In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x
prior to 8.5.9; A remote code execution vulnerability exists in PHP's
built-in phar stream wrapper when performing file operations on an
untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be
performing file operations on insufficiently validated user input, thereby
being exposed to this vulnerability. This vulnerability is mitigated by the
fact that such code paths typically require access to an administrative
permission or an atypical configuration.
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Trusty/esm:DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
More Information

Updated: 2019-04-26 14:31:41 UTC (commit 30899e40836d26e1bb5f0b072d31fd87b6cf3bd4)