Allele Security Alert
ASA-2019-00108
Identifier(s)
ASA-2019-00108, CVE-2019-6340, SA-CORE-2019-003
Title
Remote code execution if REST module is enabled
Vendor(s)
Drupal Association
Product(s)
Drupal
Affected version(s)
Drupal 8.6.x before version 8.6.10
Drupal 8.5.x before version 8.5.11
Fixed version(s)
Drupal version 8.6.10
Drupal version 8.5.11
Proof of concept
Yes
Description
Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
A site is only affected by this if one of the following conditions is met:
- The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests, or
- the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
Technical details
Unknown
Credits
Samuel Mortenson (Drupal Security Team)
Reference(s)
Drupal core – Highly critical – Remote Code Execution – SA-CORE-2019-003
https://www.drupal.org/node/3034490
Drupal SA-CORE-2019-003 远程命令执行分析
https://paper.seebug.org/821/
SA-CORE-2019-003 by samuel.mortenson, Berdir, pwolanin, dawehner, cas… · drupal/core@24b3fae
https://github.com/drupal/core/commit/24b3fae89eab2b3951f17f80a02e19d9a24750f5
Exploiting Drupal8’s REST RCE (SA-CORE-2019-003, CVE-2019-6340)
https://www.ambionics.io/blog/drupal8-rce
CVE-2019-6340 POC Drupal rce
https://github.com/oways/CVE-2019-6340
CVE-2019-6340
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340
CVE-2019-6340
https://nvd.nist.gov/vuln/detail/CVE-2019-6340
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 25, 2019