In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x
prior to 8.5.9; A remote code execution vulnerability exists in PHP's
built-in phar stream wrapper when performing file operations on an
untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be
performing file operations on insufficiently validated user input, thereby
being exposed to this vulnerability. This vulnerability is mitigated by the
fact that such code paths typically require access to an administrative
permission or an atypical configuration.
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
More Information

Updated: 2020-09-09 23:30:30 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)