Drupal Highly Critical RCE vulnerability has known public exploits

Drupal updated the severity of a remote code execution (RCE) vulnerability to “Highly Critical” after known public exploits were discovered.

As released last week in Drupal security advisory (SA-CORE-2019-003), the highly critical RCE bug CVE-2019-6340 impacts Drupal 8.5.x or 8.6.x.

Some field types do not properly sanitize data from non-form sources, which could then lead to arbitrary PHP code execution in some cases.

However, the risk was raised after a new exploit path was discovered.

“In the original SA we indicated this could be mitigated by blocking POST, PATCH and PUT requests to web services resources, there is now a new way to exploit this using GET requests,” Drupal added in a more recent advisory PSA-2019-02-22 on Saturday.

System admins should update to the latest versions of 8.5.x and 8.6.x to Drupal 8.5.11 and Drupal 8.6.10, respectively.

Security updates should also be applied for contributed projects after updating Drupal core.