Forum Discussion
Drupal Releases Two ‘Moderately Critical’ Security...
Drupal Releases Two ‘Moderately Critical’ Security Advisories
On April 17, Drupal published two security advisories, SA-CORE-2019-005 and SA-CORE-2019-006, which they have deemed as “moderately critical” according to their own internal security risk scoring.
SA-CORE-2019-005
The first Drupal security advisory addresses a third-party dependency that is “included in or required by Drupal core.” This dependency is for the Symfony PHP framework. Symfony patched three separate vulnerabilities, CVE-2019-10909, CVE-2019-10910, and CVE-2019-10911.
CVE-2019-10909 is a vulnerability in the PHP templating engine, which does not properly escape validation messages containing user input, potentially leading to cross site scripting (XSS) attacks.
CVE-2019-10910 is a vulnerability involving the lack of filtering of user inputs relating to Service identifiers (IDs) which “could result in the execution of any arbitrary code, resulting in possible remote code execution.”
CVE-2019-10911 is a vulnerability in the way expiration time is stored in “remember me” cookies, which could be referenced as either part of a username, or a username could be considered party for the expiration time. Modification of the “remember me” cookie could allow an attacker to authenticate as another user. Drupal states that this attack is only possible “if remember me functionality is enabled” as well as if “two users share a password hash or the password hashes are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).”
SA-CORE-2019-006
The second Drupal security advisory addresses a security vulnerability that was fixed in the jQuery project version 3.4.0 that affects all prior versions of jQuery. The bug is the result of “unintended behavior when using jQuery.extend(true, {}, …)” function. Drupal states that exploitation of this bug is possible “with some Drupal modules.” As a result, Drupal did not fully update jQuery, opting instead to backport the fix for jQuery extend without including any other fixes to jQuery as part of Drupal core.
Patched Versions of Drupal
Drupal has released updates to Drupal 8.5 (8.5.15) and 8.6 (8.6.15) to address both SA-CORE-2019-005 and SA-CORE-2019-006. However, the Drupal 7 update (7.66) contains fixes for only SA-CORE-2019-006.
As a reminder, Drupal versions prior to 8 and 8.5.x are end-of-life (EOL) and therefore no longer receive security updates.
