- Advisory ID: DRUPAL-SA-CONTRIB-2013-014
- Project: Drush Debian Packaging (third-party module)
- Version: 7.x
- Date: 2013-January-30
- Security risk: Critical
- Exploitable from: Local
- Vulnerability: Information Disclosure
Description
This package is a tool to build debian packages from a Drupal instance.
The module doesn't sufficiently protect database credentials.
This vulnerability is mitigated by the fact that an attacker must have shell access to the server.
CVE identifier(s) issued
- CVE-2013-0260
Versions affected
- All versions.
Drupal core is not affected. If you do not use the contributed Drush Debian Packaging module, there is nothing you need to do.
Solution
Uninstall the package.
Also see the Drush Debian Packaging project page.
Reported by
Fixed by
Not applicable.
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.