Drupal patches critical access bypass flaw

Drupal patches critical access bypass flaw

Drupal has released a security update to address a critical vulnerability in Drupal 8.7.4 Workspaces module.

Drupal is a leading open-source content management system (CMS) that runs on over one million websites.

According to the Drupal Core security update, an access bypass condition exists when the experimental Workspaces module is enabled in Drupal 8.7.4. Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not affected.

The access bypass vulnerability CVE-2019-6342 is rated critical and could allow an attacker to take control of affected CMS system.

Mitigations

If your site is running Drupal 8.7.4, upgrade to Drupal 8.7.5 or disable the Workspaces module.

Also, organizations will need to run a manual step and run update.php to clear cache on the sytem. Drupal also recommends organizations clear cache on any reverse proxies or content delivery network (such as Varnish or CloudFlare) as well.

Close Menu