NVD Vulnerability Detail

CVE-2019-6340

Summary	Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
Publication Date	Feb. 22, 2019, 6:29 a.m.
Registration Date	Jan. 26, 2021, 11:43 a.m.
Last Update	Nov. 21, 2024, 1:46 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/107106	Third Party Advisory VDB Entry
2	https://www.drupal.org/sa-core-2019-003	Mitigation Vendor Advisory
3	https://www.exploit-db.com/exploits/46452/	Patch Third Party Advisory VDB Entry
4	https://www.exploit-db.com/exploits/46459/	Exploit Third Party Advisory VDB Entry
5	https://www.exploit-db.com/exploits/46510/	Exploit Third Party Advisory
6	https://www.synology.com/security/advisory/Synology_SA_19_09	Third Party Advisory
7	http://www.securityfocus.com/bid/107106	Third Party Advisory VDB Entry
8	https://www.synology.com/security/advisory/Synology_SA_19_09	Third Party Advisory
9	https://www.exploit-db.com/exploits/46510/	Exploit Third Party Advisory
10	https://www.exploit-db.com/exploits/46459/	Exploit Third Party Advisory VDB Entry
11	https://www.exploit-db.com/exploits/46452/	Patch Third Party Advisory VDB Entry
12	https://www.drupal.org/sa-core-2019-003	Mitigation Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-502	信頼性のないデータのデシリアライゼーション	https://cwe.mitre.org/data/definitions/502.html

JVN Vulnerability Information

Drupal における入力確認に関する脆弱性

Title	Drupal における入力確認に関する脆弱性
Summary	Drupal には、入力確認に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 20, 2019, midnight
Registration Date	April 2, 2019, 2:59 p.m.
Last Update	April 2, 2019, 2:59 p.m.

Affected System

Drupal

Drupal 8.5.11 未満の 8.5.x

Drupal 8.6.10 未満の 8.6.x

Drupal 8.5.11 未満の 8.5.x

Drupal 8.6.10 未満の 8.6.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-6340	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340
2	CVE-2019-6340	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340
National Vulnerability Database (NVD)
3	CVE-2019-6340	https://nvd.nist.gov/vuln/detail/CVE-2019-6340
4	CVE-2019-6340	https://nvd.nist.gov/vuln/detail/CVE-2019-6340

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html
2	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

Change Log

No	Changed Details	Date of change
1	[2019年04月02日] 掲載	April 2, 2019, 2:59 p.m.