Vulnerability
The CVE-2019–6340 remote code execution flaw in Drupal 8’s REST API module affects websites that use the Drupal REST API option. This vulnerability occurs when some other web services module is allowed on the server, such as JSON-API in Drupal 8 or REST services in Drupal 7, or when the Drupal 8 core RESTful API Services module is enabled on the site, enabling users to send GET, PATCH, and POST requests to the server. Despite the fact that the PATCH method is disabled, a GET request is enough to cause the code execution flaw. By sending a malicious GET request to the /node/id API endpoint with a serialized payload, an attacker can take over control of the vulnerable Drupal website (command to execute in server).
Mitigation / Precaution
- It is advised to upgrade Drupal to the most recent versions with security patches, such as versions 8.6.10 and 8.5.11.
- If you are using Drupal 7, upgrade all modules.
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
