Description

Drupal is prone to a remote code-execution vulnerability when the REST module is enabled (by default this module is disabled). Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution.

A site is only affected by this if one of the following conditions is met:

  • the site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests,
  • or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

Remediation

If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
Be sure to install any available security updates for contributed projects after updating Drupal core.
No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.

References

EXPLOITING DRUPAL8'S REST RCE

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

Related Vulnerabilities

WordPress Plugin WP Super Cache Remote Code Execution (1.7.1)

WordPress Plugin WordPress WP-Advanced-Search Remote Code Execution (3.3.3)

Grav CMS Unauthenticated RCE (CVE-2021-21425)

PHP 4.3.0 file disclosure and possible code execution

WordPress Plugin Zingiri Web Shop 'ajax_save_name.php' Remote Code Execution (2.2.3)

Severity

High

Classification

CVE-2019-6340 CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution