Skip to Content.
Sympa Menu

cv-announce-l - [cv-announce-l] Drupal Vulnerability (SA-CORE-2019-003)

Please Wait...

cv-announce-l@list.iu.edu

Subject: cv alerts list

List archive

[cv-announce-l] Drupal Vulnerability (SA-CORE-2019-003)


Chronological Thread  
  • From: Andrew K Adams <akadams@psc.edu>
  • To: cv-announce@trustedci.org
  • Cc: "Andrew K. Adams" <akadams@psc.edu>
  • Subject: [cv-announce-l] Drupal Vulnerability (SA-CORE-2019-003)
  • Date: Wed, 20 Feb 2019 17:27:01 -0500
  • Ironport-phdr: 9a23:2fpcthy4314lRufXCy+O+j09IxM/srCxBDY+r6Qd2+gXIJqq85mqBkHD//Il1AaPAd2Lraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CSmVPXshfWS9cDI2ic4QCFPAOMfpCooTnu1cCsRmzCA+xD+3v0D9IgXr20LUm3uQnDA7GxhIvHtwTu3rRsd74KLodXvqwzKnT0D7OaOlZ2TTn54fVaB8hpOqMUKloccrK1UYjDR3KgUiNqYH8OT6ey+oDs2+e7+V6VOKvjXYqpBxrojiy3scjkI3JipgSylDe+iV12Jo1JcelSE5gfd6rDoZfuD2bN4dsRcMiWW5otSAnwbMFoZ62ZDYGxIklyhLFafGLb5KE7g/gWeufOzt0mm5pdK+nixqs7UStzvfwW8q03VpQsCZJj9vBumoN2hDO7MWMV+Fz8V272TmV0gDe8uFELl4wlarcM5Mh2KA/lp4JvkXDHSL6gVj5gLWTdko+++io7/7rYrr8qZ+aKoB0ixvyMqIwlcyjGeg4Mw4OUHaH+emkyrHv4E/0TK9Ig/EqiKXVrZPXKMoBqqKnHwNZz54v6xOlADen1NQYk2MHLFVAeB+flYfpOEvBL+3iAve6mFShiy9rx+vaMbH7HJrCM2XDnK/7fblh805c1BYzzddH6p1IFLENOej8Wkn3tNzfEx85NRC7zPj+BNV5zY4eXWOPArSFMK/IsF+I+/gjLPeRa48I637BLK0u+bvni3k+hFkWcIG1x4YMdH20FfUgJF+WMlT2hdJUOGEGpAchBM+ioVGLVCUbM3+xVq414yoTEJmtS4rPW9b+0/S6wC6nE8gONSh9AVeWHCKtLt3cVg==

CI Operators:


Drupal's maintainers announced a critical field sanitization vulnerability[1] in Drupal Core. A site running Drupal 8 is affected if it is running RESTful Web Services which allow PATCH or POST requests, OR if it is running another web services module like JSON:API. A site running Drupal 7 is affected if it is running Services or RESTful Web Services.


Impact:

A malicious user could execute arbitrary PHP code.


Affected Software:

Drupal 8.6.x < 8.6.9

Drupal 8.5.x < 8.5.10 (Note, versions of Drupal 8 prior to 8.5.x are end-of-life.)

Drupal 7 - no core update is required, but you may need to update affected contributed modules.


Recommendation:

Upgrade to the latest version of Drupal 8.

Drupal 8.6. : https://www.drupal.org/project/drupal/releases/8.6.10

Drupal 8.5. : https://www.drupal.org/project/drupal/releases/8.5.11


References:

[1] https://www.drupal.org/sa-core-2019-003


How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.


  • [cv-announce-l] Drupal Vulnerability (SA-CORE-2019-003), Andrew K Adams, 02/20/2019

Archive powered by MHonArc 2.6.24.

Top of Page