Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
A site is only affected by this if one of the following conditions is met:
- The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
- the site has another web services module enabled (like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7).
- If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
- If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
- Be sure to install any available security updates for contributed projects after updating Drupal core.
- No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
To immediately mitigate the vulnerability, you can disable all web services modules, or configure your web server(s) to not allow PUT/PATCH/POST requests to web services resources. Note that web services resources may be available on multiple paths depending on the configuration of your server(s). For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the “q” query argument. For Drupal 8, paths may still function when prefixed with index.php/.
- Samuel Mortenson of the Drupal Security Team
- Sascha Grossenbacher
- Peter Wolanin of the Drupal Security Team
- Samuel Mortenson of the Drupal Security Team
- Daniel Wehner
- Cash Williams of the Drupal Security Team
- Wim Leers
- Jess of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- Francesco Placella
- Damian Lee
- Tobias Zimmermann
- Ted Bowman
- Damien McKenna of the Drupal Security Team
- Alex Bronstein of the Drupal Security Team
- Rob Loach
- Gabe Sullice
- Michael Hess of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Heshan Wanigasooriya
- David Snopek of the Drupal Security Team
- Wolfgang Ziegler
- Miro Dietiker
- Truls S. Yggeseth