High Threat Security Alert (A19-02-06): Vulnerability in Drupal


 

Published on: 21 February 2019

Last update on: 27 February 2019

Share on Facebook    Share on X   

Description:

Drupal released security updates to fix the vulnerability resided in the Drupal Core and its modules. An attacker could send a specially crafted PUT/PATCH/POST request to a vulnerable system to exploit the vulnerability.

Report indicates that active exploitation against the vulnerability (CVE-2019-6340) has been observed. Users are advised to take immediate action to patch your affected systems and update all affected contributed modules to mitigate the elevated risk of cyber attacks.

 

Affected Systems:

  • Drupal 8.5.x, 8.6.x
  • Drupal 7.x

Please note that no security updates will be provided for the versions of Drupal 8 prior to 8.5.x. Users should upgrade the Drupal to a supported branch or arrange migrating to other supported technology.

 

Impact:

A successful attack could lead to remote code execution on an affected system.

 

Recommendation:

The product vendor has released patches to address the issues.

  • Drupal 8.6.10
    https://www.drupal.org/project/drupal/releases/8.6.10

  • Drupal 8.5.11
    https://www.drupal.org/project/drupal/releases/8.5.11

  • For Drupal 7.x, only contributed modules are required to be updated
    https://www.drupal.org/security/contrib

 

More Information:

https://thehackernews.com/2019/02/drupal-hacking-exploit.html
https://www.imperva.com/blog/latest-drupal-rce-flaw-used-by-cryptocurrency-miners-and-other-attackers/
https://www.drupal.org/sa-core-2019-003
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340

 



Tag: Drupal
Tags