DRUPAL-CORE-2019-003

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2019-003.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CORE-2019-003

Aliases

Published

2019-02-20T19:18:48Z

Modified

2025-12-10T23:41:09.322988Z

Summary

[none]

Details

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.

A site is only affected by this if one of the following conditions is met:

The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests, or
the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

(Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.)

Updates

2019-02-22: Updated risk score given new information; see PSA-2019-02-22. The security risk score has been updated to 23/25 as there are now known exploits in the wild. In addition, any enabled REST resource end-point, even if it only accepts GET requests, is also vulnerable. Note this does not include REST exports from Views module.

References

https://www.drupal.org/sa-core-2019-003

Credits

- Samuel Mortenson
- - https://www.drupal.org/user/2582268

Affected packages

Packagist / drupal/core

Package

Name: drupal/core
Purl: pkg:composer/drupal/core

Affected ranges

Type

ECOSYSTEM

Events

Introduced

8.0.0

Fixed

8.5.11

Database specific

{
    "constraint": ">= 8.0.0 <8.5.11"
}

Type

ECOSYSTEM

Events

Introduced

8.6.0

Fixed

8.6.10

Database specific

{
    "constraint": ">=8.6.0 <8.6.10"
}

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.1.0-beta1

8.1.0-beta2

8.1.0-rc1

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

8.1.10

8.2.0-beta1

8.2.0-beta2

8.2.0-beta3

8.2.0-rc1

8.2.0-rc2

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

8.2.8

8.3.0-alpha1

8.3.0-beta1

8.3.0-rc1

8.3.0-rc2

8.3.0

8.3.1

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6

8.3.7

8.3.8

8.3.9

8.4.0-alpha1

8.4.0-beta1

8.4.0-rc1

8.4.0-rc2

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.4.6

8.4.7

8.4.8

8.5.0-alpha1

8.5.0-beta1

8.5.0-rc1

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.6.0

8.6.1

8.6.2

8.6.3

8.6.4

8.6.5

8.6.6

8.6.7

8.6.8

8.6.9

Database specific

affected_versions

">= 8.0.0 <8.5.11 || >=8.6.0 <8.6.10"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2019-003.json"