⚠️ CISA Known Exploited Vulnerability
Active ThreatThis vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Active exploitation has been observed in the wild. This poses significant risk to federal enterprises and should be prioritized for immediate patching.
CVE-2019-6340
High CISA KEVVulnerability Description
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Known Affected Software
21 configuration(s) from 1 vendor(s)
cpe:2.3:a:drupal:drupal:8.5.7:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.5.0:-:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.6.7:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.6.2:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.6.3:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.5.3:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.5.8:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.6.6:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.6.5:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.6.0:-:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.6.8:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.5.6:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.6.9:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.5.2:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.5.9:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.5.4:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.5.5:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.6.1:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.5.1:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.6.4:*:*:*:*:*:*:*
cpe:2.3:a:drupal:drupal:8.5.10:*:*:*:*:*:*:*
References & Resources
-
http://www.securityfocus.com/bid/107106mlhess@drupal.org Third Party Advisory VDB Entry Broken Link
-
https://www.drupal.org/sa-core-2019-003mlhess@drupal.org Mitigation Vendor Advisory
-
https://www.exploit-db.com/exploits/46452/mlhess@drupal.org Patch Third Party Advisory VDB Entry
-
https://www.exploit-db.com/exploits/46459/mlhess@drupal.org Exploit Third Party Advisory VDB Entry
-
https://www.exploit-db.com/exploits/46510/mlhess@drupal.org Exploit Third Party Advisory
-
https://www.synology.com/security/advisory/Synology_SA_19_09mlhess@drupal.org Third Party Advisory
-
http://www.securityfocus.com/bid/107106af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory VDB Entry Broken Link
-
https://www.drupal.org/sa-core-2019-003af854a3a-2127-422b-91ae-364da2661108 Mitigation Vendor Advisory
-
https://www.exploit-db.com/exploits/46452/af854a3a-2127-422b-91ae-364da2661108 Patch Third Party Advisory VDB Entry
-
https://www.exploit-db.com/exploits/46459/af854a3a-2127-422b-91ae-364da2661108 Exploit Third Party Advisory VDB Entry
-
https://www.exploit-db.com/exploits/46510/af854a3a-2127-422b-91ae-364da2661108 Exploit Third Party Advisory
-
https://www.synology.com/security/advisory/Synology_SA_19_09af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-6340134c704f-9b21-4f2e-91b3-4a467353bcc0 US Government Resource
Severity Details
CISA KEV Status
Listed in CISA's Known Exploited Vulnerabilities catalog
Weakness Type (CWE)
Deserialization of Untrusted Data
- Description
- The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
- Exploit Likelihood
- Medium
- Typical Severity
- Medium
- OWASP Top 10
- A08:2021-Software/Data Integrity Failures
- Abstraction Level
- Base
Key Information
- Published Date
- February 21, 2019
