On February 20, we monitored an important security update released by Drupal, which patched a remote code execution vulnerability with the vulnerability number CVE-2019-6340. After research, the vulnerability was caused by the data passed into the RESTful Web service without strict verification. Successful exploitation of the vulnerability can result in remote code execution on the target host. RESTful services are not turned on by default, greatly reducing the risk of vulnerabilities. For security reasons, users of Drupal are advised to upgrade in a timely manner.
The vulnerability was caused by Drupal’s lack of rigorous validation of RESTful Web data. If the site has a RESTful web service enabled and accepts PATCH, POST requests, or other web service modules enabled in the site, there will be a deserialization issue that will result in code execution.
- Drupal 8.6.9 and below
- Drupal 8.5.x or earlier
For this vulnerability, you can disable all web service modules or disable PUT / PATCH / POST requests for mitigation. It is strongly recommended that users upgrade the latest Drupal version.