A new highly critical vulnerability, identified as CVE-2019-6340, was just discovered in Drupal, and luckily it’s already fixed in the latest version of the content management system.
If you are running Drupal 7, no core update is required, but you may need to update contributed modules if you are using an affected module. We are unable to provide the list of those modules at this time, Drupal said in the security advisory.
CVE-2019-6340 Technical Resume
CVE-2019-6340 is a remote code execution flaw in Drupal Core that could lead to arbitrary PHP code execution in specific cases. Not enough technical details are available about the vulnerability. What is known is that the flaw is triggered because some field types do not properly sanitize data from non-form sources. The bug affects Drupal 7 and Drupal 8, the team said.
A website based on Drupal is only exploitable in case the RESTful Web Services (rest) module is enabled allowing PATCH or POST requests. The flaw is also triggered when another web service module is enabled.
How can CVE-2019-6340 be mitigated?
To mitigate the vulnerability, affected users can disable all web services modules, or configure their web server(s) to not allow PUT/PATCH/POST requests to web services resources. Keep in mind that web services resources may be available on multiple paths depending on the configuration of the corresponding server(s).
For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the “q” query argument. For Drupal 8, paths may still function when prefixed with index.php/, the advisory said.
Another remote code execution bug in Drupal, called Drupalgeddon2, was exploited in October last year. An unknown criminal collective was taking advantage of an old security bug tracked in the CVE-2018-7600 advisory which was previously patched in 2017. This intrusion attempt was called the Drupalgeddon2 attack and according to the available research, it allowed hackers to exploit vulnerable sites and take total control, including access to private data.