Description

Drupal is prone to a remote code-execution vulnerability when the REST module is enabled (by default this module is disabled). Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution.

A site is only affected by this if one of the following conditions is met:

  • the site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests,
  • or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

Remediation

If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
Be sure to install any available security updates for contributed projects after updating Drupal core.
No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.

References

EXPLOITING DRUPAL8'S REST RCE

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

Related Vulnerabilities

WordPress Plugin Analytics Remote Code Execution (1.7)

Oracle Business Intelligence AMF Deserialization RCE CVE-2020-2950

Apache Struts Remote Code Execution (S2-057)

WordPress Plugin iThemes Exchange:Simple WP Ecommerce Remote Code Execution (1.14.0)

Remote code execution vulnerability in WordPress Duplicator

Severity

High

Classification

CVE-2019-6340 CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution