CVE-2020-13664: Drupal Core Arbitrary PHP code execution vulnerability
8.8
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
drupal/core | composer | >= 8.8.0, < 8.8.8 | 8.8.8 |
drupal/core | composer | >= 8.9.0, < 8.9.1 | 8.9.1 |
drupal/core | composer | >= 9.0.0, < 9.0.1 | 9.0.1 |
drupal/drupal | composer | >= 8.8.0, < 8.8.8 | 8.8.8 |
drupal/drupal | composer | >= 8.9.0, < 8.9.1 | 8.9.1 |
drupal/drupal | composer | >= 9.0.0, < 9.0.1 | 9.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The provided vulnerability information and references do not explicitly name specific vulnerable functions. While the CWE-77 classification suggests command injection issues, the advisory describes a path manipulation/creation vulnerability leading to potential RCE through directory naming rather than direct command injection. The actual vulnerable code path would likely involve directory creation/file
handling functions
, but without access to the specific commit diffs or patch details, we cannot definitively identify the exact functions
responsible. The Windows-specific file
system behavior mentioned suggests potential case sensitivity exploitation, but this would depend on Drupal's
file
handling implementation details not revealed in provided sources.