cbcvebase.
CVE-2019-6340
published 2019-02-21

CVE-2019-6340: Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary…

PriorityP192high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
91.92%
99.8th percentile
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)

Affected

11 ranges
VendorProductVersion rangeFixed in
drupalcore>= 7.0.0 < 7.62.07.62.0
drupalcore>= 8.0.0 < 8.5.118.5.11
drupalcore>= 8.6.0 < 8.6.108.6.10
drupaldrupal>= 7.0.0 < 7.62.07.62.0
drupaldrupal>= 8.0.0 < 8.5.118.5.11
drupaldrupal>= 8.5.0 < 8.5.118.5.11
drupaldrupal>= 8.6.0 < 8.6.108.6.10
drupaldrupal>= 8.6.0 < 8.6.108.6.10
drupaldrupal_core
drupaldrupal_core>= 8.5 < 8.5.118.5.11
drupaldrupal_core>= 8.6 < 8.6.108.6.10

Detection & IOCsextracted from sources · hover to see the quote

other2833: CVE-2019-6340 Drupal8 RESTful Web Services Remote Code Execution - HTTP (Request)
  • The serialized payload uses a Guzzle gadget chain generated by PHPGGC (PHP Generic Gadget Chains); look for PHPGGC-style serialized PHP objects in HTTP request bodies to Drupal REST endpoints.
  • RCE via GET request without authentication is possible when RESTful Web Services, Hypertext Application Language (HAL), and HTTP Basic Authentication modules are all enabled; do not rely solely on blocking PATCH/POST.
  • All REST API endpoints in affected Drupal versions are potentially vulnerable; monitor HTTP methods GET, PUT, PATCH, and POST to web services endpoints.
  • Exploitation requires RESTful Web Services, HAL, and HTTP Basic Authentication modules to all be enabled; verify co-enablement of these three modules as a risk indicator.
  • ·Only Drupal 8.6.x < 8.6.10 and Drupal 8.5.x < 8.5.11 are affected; Drupal 7 core does not require a core update but contributed modules (RESTful Web Services, Services) may need patching.
  • ·Disabling PUT/PATCH/POST request types server-side is insufficient mitigation on its own because GET requests can also trigger RCE under certain module configurations.
  • ·The exploit requires RESTful Web Services, HAL, and HTTP Basic Authentication modules to all be simultaneously enabled; sites missing any one of these three modules could not be exploited via the GET-based PoC path.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.