Moderately critical security update for Drupal 7 & 8 cores - SA-CORE-2019-007

Moderately critical security update for Drupal 7 & 8 cores - SA-CORE-2019-007

Drupal Security Team has announced a moderately critical security advisory for both Drupal 7 & 8 cores today on May 8, 2019 with the following details:

Project: Drupal core
Date: 2019-May-08
Security risk: Moderately critical 14∕25
Vulnerability: Third-party libraries


Drupal core uses the third-party Phar Stream Wrapper component. This library has released a security update which impacts Drupal core. As described in TYPO3-PSA-2019-007:

It has been discovered that the protection against insecure deserialization can be by-passed in Phar Stream Wrapper component. Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.


The final severity assessment has to be done in the component making use of the Phar Stream Wrapper package and depends on the interceptor strategy that has been used. In case file invocations on user submitted paths are allowed at least insecure deserialization is possible. Depending on the specific implementation in the using components this could lead to higher impact scores concerning confidentiality, integrity and availability.


Install the latest version:

Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.