Published: 21/02/2019 Updated: 08/03/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2
VMScore: 742
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x prior to 8.5.11 and Drupal 8.6.x prior to 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)

Vulnerability Trend

Affected Products

Vendor Product Versions
DrupalDrupal8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.6.0, 8.6.1, 8.6.2, 8.6.3, 8.6.4, 8.6.5, 8.6.6, 8.6.7, 8.6.8, 8.6.9


## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote # NOTE: All (four) Web Services modules need to be enabled Rank = NormalRanking include Msf::Exploit::Remote::HTTP::Drupal def initialize(info = {}) ...
Analyzing the patch By diffing Drupal 869 and 8610, we can see that in the REST module, FieldItemNormalizer now uses a new trait, SerializedColumnNormalizerTrait This trait provides the checkForSerializedStrings() method, which in short raises an exception if a string is provided for a value that is stored as a serialized string This indicate ...
#!/usr/bin/env python3 # CVE-2019-6340 Drupal <= 869 REST services RCE PoC # 2019 @leonjza # Technical details for this exploit is available at: # wwwdrupalorg/sa-core-2019-003 # wwwambionicsio/blog/drupal8-rce # twittercom/jcran/status/1099206271901798400 # Sample usage: # # $ python cve-2019-6340py http ...

Mailing Lists

Drupal versions 869 and below REST service remote code execution proof of concept exploit ...

Metasploit Modules

Drupal RESTful Web Services unserialize() RCE

This module exploits a PHP unserialize() vulnerability in Drupal RESTful Web Services by sending a crafted request to the /node REST endpoint. As per SA-CORE-2019-003, the initial remediation was to disable POST, PATCH, and PUT, but Ambionics discovered that GET was also vulnerable (albeit cached). Cached nodes can be exploited only once. Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of this alternate vector. Drupal < 8.5.11 and < 8.6.10 are vulnerable.

msf > use exploit/unix/webapp/drupal_restws_unserialize
      msf exploit(drupal_restws_unserialize) > show targets
      msf exploit(drupal_restws_unserialize) > set TARGET <target-id>
      msf exploit(drupal_restws_unserialize) > show options
            ...show and set options...
      msf exploit(drupal_restws_unserialize) > exploit

Github Repositories

CVE-2019-6340 For educational purposes only Run $ docker run --rm -p 8080:80 knqyf263/cve-2019-6340 Exploit GET $ curl -XGET -H "Content-Type: application/hal+json" "localhost:8080/node/1?_format=hal_json" -d ' { "link": [ { "value": "link", "options": "O:24:\"GuzzleHttp\\Psr7\\

cve-2019-6340-bits Bits generated while analyzing CVE-2019-6340 Drupal RESTful RCE modsec rule pcap example nginx config example logs example playbook

007BOT 007BOT Website Vulnerability Scanner &amp; Auto Exploiter You can use this tool on your website to check the security of your website by finding the vulnerability in your website or you can use this tool to Get Shells Deface Databases git clone githubcom/mrwn007/007BOTgit cd 007BOT python 007py OsCommerce Exploits OsCommerce 2x Core RCE

CVE-2019-6340 This is part of Cved: a tool to manage vulnerable docker containers Cved: gitlabcom/git-rep/cved Image source: githubcom/cved-sources/cve-2019-6340 Image author: githubcom/cved-sources/cve-2019-6340

Drupal-SA-CORE-2019-003 CVE-2019-6340 Drupal SA-CORE-2019-003 CVE-2019-6340 CVE-2019-6340md mpweixinqqcom/s/EQD4-K6HgBY9wdzeXeyzkg paperseebugorg/821/ wwwyoutubecom/watch?v=QtLDDN0Duko linkname pbstwimgcom/media/D0C-KiXX4AM2vR3jpg:large CVE-2019-6340 isn’t a default configuration, you have to manually enable Restful web services

CVE-2019-6340 / SA-CORE-2019-003 Three scripts included to demonstrate how Drupal 869 is vulnerable to CVE-2019-6340: create_node_via_restpy - Example of normal authenticated node create with REST API does_not_correspondpy - Proving the request is processed even without authentication exploitpy - Exploit the deserialization and execute a remote command Download Drupal 8

ICG-AutoExploiterBoT Edit Line 46 Add your Email Address for Add admin joomla Exploit ( Use outlookcom Mail! ) Note! : We don't Accept any responsibility for any illegal usage - work on 3x and 2x version python free Penetration Testing tool OsCommerce Exploits - OsCommerce 2x Core RCE Drupal Exploits - Drupal Add admin - Drupal BruteForcer - Drupal G

Drupwn [v103] Description Drupwn claims to provide an efficient way to gather drupal information Further explaination on our blog post article Supported tested version Drupal 7 Drupal 8 Execution mode Drupwn can be run, using two seperate modes which are enum and exploit The enum mode allows performing enumerations whereas the exploit mode allows checking and exploiting

CVE-2019-6340 Drupal8's REST RCE, SA-CORE-2019-003 0x01 docker search CVE-2019-6340 NAME DESCRIPTION STARS OFFICIAL AUTOMATED knqyf263/cve-2019-6340 Environment for CVE-2019-6340 (Drupal) 0 cved/cve-2019-6340 cve-2019-6340 0 0x02 docker pull knqyf263/cve-20

CVE-2019-6340 CVE-2019-6340 POC Drupal rce python pocpy [url] [php func] [command] [node number] Example: python pocpy 192168142148/drupal-869/ system ipconfig 200 Twitter: @0w4ys

Detect CVE Tool that detect CVE of website Requirements Python 27 or Python 34+ Works on Linux, Windows Detect CVE of Drupal sites CVE 2018 - 7600 (Drupalgeddon) + CVE 2019 - 6340 With input file (drupal sites with version) autocraft-kznru|5 bergeraultcom|5 leisureandculturedundeecom|5 Return normal site and vulnerable site (mark as |VULNERABLE|) or other cas

Drupal Remote Shell A remote shell using CVE-2018-7600 and CVE-2019-6340 Use : /DRS(2)py http[s]://hostname|IP[:port] Shell is very basic No command completion, no directory change, DRSpy works with any Drupal vulnerable versions : &lt;851, &lt;846 , &lt;839 and &lt;758 DRS2py works with any Drupal vulnerable versions : &lt;8610, &lt;8

ICG-AutoExploiterBoT Edit Line 46 Add your Email Address for Add admin joomla Exploit ( Use outlookcom Mail! ) Note! : We don't Accept any responsibility for any illegal usage - work on 3x and 2x version python free Penetration Testing tool OsCommerce Exploits - OsCommerce 2x Core RCE Drupal Exploits - Drupal Add admin - Drupal BruteForcer - Drupal G

Exploits Drupalgeddon2 [CVE-2018-7600]: $ ruby -v ruby 251p57 (2018-03-29 revision 63029) [x86_64-linux-gnu] $ ruby drupalgeddon2rb examplecom $ ruby drupalgeddon2-not-write-shellrb &lt;target&gt; &lt;version [7,8]&gt; &lt;command&gt; [php_method] [form_path] ruby drupalgeddon2-not-write-shellrb 7 examplecom whoami passtrhu [0,

Alien-Framework ========================================================================= Version: shellmaster - v4 More CVE Exoloits Install and use: [1] git clone githubcom/colorblindpentester/Alien-Framework [2] cd Alien-Framework [3] python3 alien-frameworkpy Features [1] Completly automatic (No requirementstxt) [2] Easy to use [3] For a kali linux and Parrot

Jok3r v3 beta Network &amp; Web Pentest Automation Framework wwwjok3r-frameworkcomWARNING: Project is still in version 3 BETA It is still under active development and bugs might be present Many tests are going on: see githubcom/koutto/jok3r/blob/master/tests/TESTSrst Ideas, bug reports, contributions are welcome ! Overview Features Demos Architecture

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦痕迹。 address | introduce | -|-|- 名字 | 介绍 | 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦痕迹。 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome awesome系列 wwwowasporgcn/owasp-pr

Recent Articles

Cloudflare Deploys Firewall Rule to Block New Drupal Exploits
BleepingComputer • Sergiu Gatlan • 05 Mar 2019

Exploitation attempts of a highly critical vulnerability discovered in the Drupal content management software (CMS) on February 20 were blocked by Cloudflare using Web Application Firewall (WAF) rules designed to protect its customers' websites from being compromised.
According to Drupal project team's security advisory, the websites impacted by the vulnerability tracked as CVE-2019-6340 are those that have the Drupal 8 core RESTful Web Services (rest) module turned on, and also allo...

‘Highly critical’ bug exposes unpatched Drupal sites to attacks
welivesecurity • Tomáš Foltýn • 27 Feb 2019

Days after the team behind Drupal urged website admins to apply an update patching a highly critical vulnerability in the content management system (CMS) platform, threat actors were spotted exploiting the loophole in the wild.
The remote code execution (RCE) vulnerability in the Drupal core was assigned a security risk score of 23/25 by the organization behind the platform. The flaw, tracked as CVE-2019-6340, stems from the fact that “some field types do not properly sanitize data from ...

Highly Critical Drupal RCE Flaw Affects Millions of Websites
Threatpost • Tara Seals • 21 Feb 2019

The Drupal open-source content management system platform has issued an advisory for a highly critical remote-code execution (RCE) flaw in the Drupal core.
The vulnerability (CVE-2019-6340) arises from the fact that “some field types do not properly sanitize data from non-form sources,” according to Drupal’s Wednesday advisory, which was published a day after it warned admins that a major security update was coming.
Insufficient input validation can result in various kinds of...

Drupal Fixes “Highly Critical” Vulnerability
BleepingComputer • Ionut Ilascu • 21 Feb 2019

Administrators of websites running the Drupal content management software (CMS) are urged to take immediate action to mitigate a newly discovered a vulnerability that can lead to remote execution of PHP code under specific circumstances.
The critical bug has been assigned the CVE-2019-6340 identifier and is in Drupal core. It affects branches 8.5.x and 8.6.x of the CMS, which fix the problem in versions 8.5.11 and 8.6.10, respectively.
It is worth noting that releases prior to 8....

No RESTful the wicked: If your website runs Drupal, you need to check for security updates – unless you enjoy being hacked
The Register • Shaun Nichols in San Francisco • 20 Feb 2019


Website admins are today urged to update their Drupal installations following the disclosure of a potentially serious vulnerability in the web publishing software. And when we say potentially serious, we mean, someone can potentially hack and hijack your site via this flaw.
The security hole, designated CVE-2019-6340, is a remote-code-execution flaw caused by Drupal neglecting to properly check data from RESTful web services.
A successful exploit of the vulnerability would allow a ha...