View online: https://www.drupal.org/sa-core-2020-005
Project: Drupal core [1] Date: 2020-June-17 Security risk: *Critical* 17∕25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Arbitrary PHP code execution
CVE IDs: CVE-2020-13664 Description: Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.
An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.
Windows servers are most likely to be affected.
Solution: Install the latest version:
* If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 [3]. * If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 [4]. * If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 [5].
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.
Reported By: * Lorenzo G [6] * Sam Thomas [7]
Fixed By: * Jess [8] of the Drupal Security Team * Samuel Mortenson [9] of the Drupal Security Team * Peter Wolanin [10] of the Drupal Security Team * Lorenzo G [11] * Lee Rowlands [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team * Cash Williams [14] of the Drupal Security Team * Heine [15] of the Drupal Security Team * Drew Webber [16] of the Drupal Security Team * Alex Pott [17] of the Drupal Security Team * Gábor Hojtsy [18]
[1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/drupal/releases/8.8.8 [4] https://www.drupal.org/project/drupal/releases/8.9.1 [5] https://www.drupal.org/project/drupal/releases/9.0.1 [6] https://www.drupal.org/user/3644903 [7] https://www.drupal.org/user/3603418 [8] https://www.drupal.org/user/65776 [9] https://www.drupal.org/user/2582268 [10] https://www.drupal.org/user/49851 [11] https://www.drupal.org/user/3644903 [12] https://www.drupal.org/user/395439 [13] https://www.drupal.org/user/36762 [14] https://www.drupal.org/user/421070 [15] https://www.drupal.org/user/17943 [16] https://www.drupal.org/user/255969 [17] https://www.drupal.org/user/157725 [18] https://www.drupal.org/user/4166