CVE-2019-6340
Drupal core - Highly critical - Remote Code Execution
In short
Drupal's REST API fails to properly clean data before processing it, allowing attackers to execute arbitrary PHP code on affected sites. This is critical because attackers can take complete control of the website without needing a user account.
Technical detail
Insufficient input sanitization in field type processing allows unsafe deserialization of untrusted data via REST/web services endpoints (PATCH/POST requests). Requires the REST module enabled or alternative web services module; exploitation leads to remote code execution with application privileges.
Summary generated and translated by AI from the official description.
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Drupal · Drupal Corepublic PoCs found — 17
githubgithub.com/jas502n/CVE-2019-6340★ 71githubgithub.com/knqyf263/CVE-2019-6340★ 42githubgithub.com/g0rx/Drupal-SA-CORE-2019-003★ 32githubgithub.com/oways/CVE-2019-6340★ 12githubgithub.com/ludy-dev/drupal8-REST-RCE★ 4githubgithub.com/DevDungeon/CVE-2019-6340-Drupal-8.6.9-REST-Auth-Bypass★ 2githubgithub.com/nobodyatall648/CVE-2019-6340★ 0githubgithub.com/cved-sources/cve-2019-6340★ 0githubgithub.com/josehelps/cve-2019-6340-bits★ 0githubgithub.com/joaoaugustom/Drupal_REST-RCE_Unauthenticated★ 0githubgithub.com/Sumitpathania03/Drupal-cve-2019-6340★ 0exploitdbwww.exploit-db.com/exploits/46459unverifiedcve_referencewww.exploit-db.com/exploits/46459/unverifiedcve_referencewww.exploit-db.com/exploits/46510/unverifiedexploitdbwww.exploit-db.com/exploits/46510unverifiedexploitdbwww.exploit-db.com/exploits/46452unverifiedcve_referencewww.exploit-db.com/exploits/46452/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6340https://www.drupal.org/sa-core-2019-003https://www.exploit-db.com/exploits/46452/https://www.exploit-db.com/exploits/46459/https://www.exploit-db.com/exploits/46510/https://www.synology.com/security/advisory/Synology_SA_19_09http://www.securityfocus.com/bid/107106