A ‘Highly Critical’ Remote Code Execution Vulnerability impacts Drupal core CMS
- The critical bug affects Drupal core branches Drupal 8.6.x, Drupal 8.5.x and earlier.
- The bug also impacts other web services modules enabled such as JSON:API in Drupal 8 and Service module or the RESTful web services module in Drupal 7.
Drupal core urged website admins to immediately mitigate a highly critical vulnerability (CVE-2019-6340) that can lead to remote code execution (RCE) of PHP code.
Drupal team noted that the bug was due to some files failing to properly sanitize data from non-form sources such as RESTful web services which could lead to arbitrary PHP remote code execution.
Affected Drupal core branches
The critical bug affects Drupal core branches Drupal 8.6x, Drupal 8.5x and earlier. The bug also impacts other web services modules enabled such as JSON:API in Drupal 8 and Service Module or the RESTful web services module in Drupal 7.
Drupal security team who detected the highly critical vulnerability noted that sites are affected only when RESTful web services module is enabled and allows POST and PATCH requests.
Drupal released security updates Drupal 8.6.10 and Drupal 8.5.11 to fix the highly critical vulnerability.
Drupal noted a few alternative solutions in its advisory to immediately mitigate the vulnerability which include the following methods,
- By disabling all web services modules
- By configuring web servers to not allow PUT/PATCH/POST requests to web services resources
“For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the 'q' query argument. For Drupal 8, paths may still function when prefixed with index.php/,” Drupal team noted, in its security advisory.