Security Risk: 
Not Critical
Vulnerability: 
Information Disclosure
Affected Versions: 

Up through v4.6.20 and v4.7.10

 

Fixed Versions: 

v4.6.21+ and v4.7.11+

 

Publication Date: 
Wednesday, September 7, 2016
Description: 

An automated security audit (based on static code analysis of the CiviCRM codebase) indicated that a dependency (PEAR CLI from the "packages" folder) could potentially reveal semi-sensitive backtrace data if an attacker could run it and provoke an error.

An exploit of this has not been identified.

As a precautionary measure, CiviCRM v4.7.11 removes PEAR CLI.

Solutions: 

Any ONE of the following:

  • Upgrade to CiviCRM v4.7.11+ or v4.6.21+
  • Delete the file "packages/PEAR/Frontend/CLI.php"
Credits: 
  • Chris Burgess (Fuzion)
  • Tim Otten (CiviCRM)
  • Seamus Lee (Australian Greens)