{"id":3088,"date":"2017-06-27T13:40:15","date_gmt":"2017-06-27T20:40:15","guid":{"rendered":"https:\/\/zed.inguardians.com\/?p=3088"},"modified":"2019-08-19T13:41:55","modified_gmt":"2019-08-19T20:41:55","slug":"three-drupal-updates-patch-critical-vulnerabilities","status":"publish","type":"post","link":"https:\/\/zed.inguardians.com\/brief\/three-drupal-updates-patch-critical-vulnerabilities\/","title":{"rendered":"Three Drupal Updates Patch Critical Vulnerabilities"},"content":{"rendered":"
Issue<\/strong> Impact<\/strong> Recommendations<\/strong> \u00a0Three Drupal updates patch critical vulnerabilities Issue One of the three critical vulnerabilities patched last week in the Drupal web content management system allows for remote code execution. Impact Drupal is one of the most popular content management systems in use, and the vulnerability described in\u00a0CVE-2017-6920 gives an attacker the same capabilities on the system […]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[169],"tags":[],"_links":{"self":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3088"}],"collection":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/comments?post=3088"}],"version-history":[{"count":1,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3088\/revisions"}],"predecessor-version":[{"id":3089,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3088\/revisions\/3089"}],"wp:attachment":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/media?parent=3088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/categories?post=3088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/tags?post=3088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nOne of the three critical vulnerabilities patched last week in the Drupal web content management system allows for remote code execution.<\/p>\n
\nDrupal is one of the most popular content management systems in use, and the vulnerability described in\u00a0CVE-2017-6920 gives an attacker the same capabilities on the system as Drupal itself.
\nThis vulnerability is in the PECL YAML parser and is related to a bug found recently in PHP. \u00a0PHP updated their documentation alerting developers to not pass unsanitized user input to these functions, which did not \u201cfix\u201d the vulnerability.
\nDrupal updated their code, changing the way they pass input to the affected functions and is no longer vulnerable to this attack vector.
\nYAML parsing vulnerabilities have led to quick widespread exploitation in the past, in multiple web frameworks and languages, and are thus considered quite dangerous.<\/p>\n
\nRecent high profile website hack and defacements emphasize the need to check your content management system implementation and ensure it is up to date.<\/p>\n<\/div>\n\n
\nDrupal update:<\/div>\n\n
\n
\n