- Advisory ID: SA-CORE-2018-005
- Project: Drupal core
- Version: 8.x
- CVE: CVE-2018-14773
- Date: 2018-August-01
The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue.
The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.
The Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue.Versions affected
8.x versions before 8.5.6.Solution
Upgrade to Drupal 8.5.6.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurityDrupal version: Drupal 8.x