What is CNNVD's report on Drupal Core remote code execution vulnerabilities?

The National Information Security Vulnerability Database (CNNVD) received reports about Drupal Core remote code execution vulnerabilities (CNNVD-201804-1490, CVE-2018-7602). An attacker who successfully exploited this vulnerability could conduct remote code execution attacks on the target system. Multiple versions of Drupal, including version 7.x and version 8.x, are affected by this vulnerability. Currently, part of the vulnerability verification code for this vulnerability has been made public on the Internet, and Drupal has officially released a patch to fix the vulnerability. It is recommended that users promptly confirm whether they are affected by the vulnerability and take patching measures as soon as possible.

1. Vulnerability introduction

Drupal is a free and open source content management framework developed in PHP language maintained by the Drupal community. It It is composed of content management system (CMS) and PHP development framework (Framework).

Drupal Core remote code execution vulnerability (CNNVD-201804-1490, CVE-2018-7602), this vulnerability is similar to the previous Drupal Core remote code execution vulnerability in March 2018 (CNNVD-201803-1136, CVE- 2018-7600), the vulnerability stems from Drupal’s official incomplete patching of the vulnerability, which allows the patch to be bypassed, thereby achieving remote code execution.

2. Hazardous Impact

An attacker who successfully exploits this vulnerability can conduct remote code execution attacks on the target system. In the near future, there is a high possibility that part of the verification code of this vulnerability published on the Internet will be exploited. The versions affected by the vulnerability are as follows:

Drupal version 7.x, Drupal version 8.x.

3. Repair Suggestions

Currently, Drupal has officially released a patch to fix the vulnerability. Users are asked to check the product version in a timely manner. If it is confirmed that the vulnerability is affected, please press as soon as possible. The following measures are taken for protection.

1. Upgrade Drupal version:

Please upgrade Drupal 7.x to Drupal 7.59 version.

Please upgrade Drupal 8.4.x to version 8.4.8

Please upgrade Drupal 8.5.x to Drupal 8.5.3.

2. If the user cannot upgrade the version immediately, please update the patch. The patch address is:

## VersionPatch address7.X versionhttps://cgit.drupalcode.org/drupal/rawdiff /?h=7.x&id=080daa38f265ea28444c540832509a48861587d0Drupal 8. xhttps://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id =bb6d396609600d1169da29456ba3db59abae4b7e

The above is the detailed content of What is CNNVD's report on Drupal Core remote code execution vulnerabilities?. For more information, please follow other related articles on the PHP Chinese website!