Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CORE-2018-005
- Project: Drupal core
- Version: 8.x
- CVE: CVE-2018-14773
- Date: 2018-August-01
Description
The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.
The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.
The Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue.
Versions affected
8.x versions before 8.5.6.
Solution
Upgrade to Drupal 8.5.6.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
Reported By
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
