SB2019022101 - Remote PHP code execution in Drupal

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019022101

SB2019022101 - Remote PHP code execution in Drupal

Published: February 21, 2019 Updated: February 27, 2019

Security Bulletin ID SB2019022101
Severity
High
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) Code Injection (CVE-ID: CVE-2019-6340)

The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.

The vulnerability exists due to improper input validation when processing field types in requests, related to API functionality. A remote attacker can send a specially crafted request and execute arbitrary PHP code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that:

  • - RESTful Web Services (rest) module is enabled and accepts PATCH or POST requests

    • OR

  • - the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
Note: we are aware of reports regarding in the wild exploitation of this vulnerability days after the official patch.

Remediation

Install update from vendor's website.

References