⚠ Actively exploited
Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: Apply updates per vendor instructions..

CVE-2019-6340Deserialization of Untrusted Data in Drupal Core

CWE-502Deserialization of Untrusted Data22 documents12 sources
Severity
8.1HIGHNVD
EPSS
94.4%
top 0.01%
CISA KEV
KEV
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
3
Drupal CoreDrupalDrupal Core
Timeline
PublishedFeb 21
KEV addedMar 25
KEV dueApr 15
Latest updateMay 13
CISA Required Action: Apply updates per vendor instructions.

Description

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupa

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages4 packages

Packagistdrupal/core8.0.08.5.11+2
CVEListV5drupal/drupal_core8.58.5.11+1
NVDdrupal/drupal8.5.08.5.11+1
Packagistdrupal/drupal7.0.07.62.0+2

Patches

Patch: www.exploit-db.comPatch: www.exploit-db.com

🔴Vulnerability Details

5
OSV
Drupal Core Remote Code Execution Vulnerability2022-05-13
GHSA
Drupal Core Remote Code Execution Vulnerability2022-05-13
CVEList
Drupal core - Highly critical - Remote Code Execution2019-02-21
OSV
CVE-2019-6340: Some field types do not properly sanitize data from non-form sources2019-02-20
VulnCheck
Drupal Core Remote Code Execution Vulnerability2019

💥Exploits & PoCs

4
Exploit-DB
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)2019-03-07
Exploit-DB
Drupal < 8.6.9 - REST Module Remote Code Execution2019-02-25
Exploit-DB
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution2019-02-23
Nuclei
Drupal - Remote Code Execution

📋Vendor Advisories

2
CISA
Drupal Core Remote Code Execution Vulnerability2022-03-25
Drupal
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-0032019-02-20

🕵️Threat Intelligence

8
Trendmicro
Schwachstelle in Drupal2019-03-01
Trendmicro
Drupal Vulnerability Can Be Exploited for RCE Attacks2019-02-27
Trendmicro
Drupal Vulnerability Can Be Exploited for RCE Attacks2019-02-27
Trendmicro
Drupal Vulnerability Can Be Exploited for RCE Attacks2019-02-27
Trendmicro
Drupal Vulnerability Can Be Exploited for RCE Attacks2019-02-27

💬Community

2
Bugzilla
CVE-2019-6340 drupal: does not sanitize data from non-form sources leads to arbitrary PHP code execution2019-02-22
Bugzilla
CVE-2019-6340 drupal: does not sanitize data from non-form sources leads to arbitrary PHP code execution [fedora-all]2019-02-22
CVE-2019-6340 — Deserialization of Untrusted Data | cvebase