Drupal developers informed users that version 8.7.4 is affected by a critical flaw, tracked as CVE-2019-6342, that could be exploited by attackers to take control of Drupal 8 websites. Users have to update to version 8.7.5 to address the vulnerability.
The issue resides in the Drupal 8.7.4, it is an access bypass vulnerability that can be triggered when the experimental Workspaces module is enabled.
The vulnerability can be mitigated by disabling the Workspaces module.
“For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well.” continues the advisory.
The development team pointed out that the flaw only affects Drupal 8.7.4 release, earlier versions are not affected.
The flaw was reported by the Dave Botsch, the good news is that there is no evidence of cyber attacks exploiting the flaw in the wild. Anyway,
The U.S. Department of Homeland Security (DHS) has also published a security update for the CVE-2019-6342 flaw.
Drupal websites are privileged targets for hackers, in the past several campaigns leveraged other flaws in the popular CMS. In February, just three days after the CVE-2019-6340 flaw was addressed, threat actors in the wild started exploiting the issue to deliver
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.