CVE-2019-11831: PharStreamWrapper Insecure Deserialization Bypass In Typo3, Drupal and Joomla

CVE-2019-11831 is a vulnerability in the PharStreamWrapper component that is often included in PHP-based projects, but specifically used by Typo3, Drupal and Joomla. This vulnerability “bypasses” a previous fix to address an insecure deserialization in PharStream where “untrusted data is used to abuse the logic of an application.” Daniel le Gall, the security researcher who discovered this vulnerability, rated it between “Medium to High” depending on the application and believes it could lead to “RCE (Remote Code Execution) on some systems” depending on the configuration and vulnerability of certain modules.

On May 7, Joomla published an advisory for Joomla 3.9.3 through 3.9.5, rating it as a “low” severity vulnerability.

On May 8, both Typo3 and Drupal published their own security advisories [1,2] with Drupal rating this vulnerability as “moderately critical” using their security risk level matrix.

Additional detail about CVE-2019-11831 can be found in Typo3’s advisory, specifically how it bypasses the existing PharStream insecure deserialization protection to perform a path (or directory) traversal attack against a vulnerable site, which could result in an existing Phar archive being replaced by a malicious one.

Typo3 has addressed this vulnerability in the PharStream component versions 3.1.1 and 2.1.1 for PHP 7.0 and later and PHP 5.3 and later respectively. For Typo3 Enterprise, 9.5.6 LTS and 8.7.25 LTS address this vulnerability.

Drupal has addressed this vulnerability in Drupal 8.7.1, Drupal 8.6.16 and Drupal 7.67. As a reminder, Drupal versions prior to 8.6.x no longer receive security updates because they are considered EOL (end-of-life).

Joomla has addressed this vulnerability in Joomla 3.9.6.