- Advisory ID: DRUPAL-SA-CONTRIB-2013-014
- Project: Drush Debian Packaging (third-party module)
- Version: 7.x
- Date: 2013-January-30
- Security risk: Critical
- Exploitable from: Local
- Vulnerability: Information Disclosure
This package is a tool to build debian packages from a Drupal instance.
The module doesn't sufficiently protect database credentials.
This vulnerability is mitigated by the fact that an attacker must have shell access to the server.
CVE identifier(s) issued
- All versions.
Drupal core is not affected. If you do not use the contributed Drush Debian Packaging module, there is nothing you need to do.
Uninstall the package.
Also see the Drush Debian Packaging project page.
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.