2020-06-18 Drupal Core Critical security issues: SA-CORE-2020-005 and SA-CORE-2020-004
Drupal released several critical security issues related to all the currently supported major versions:
The SA-CORE-2020-004 is a Cross Site Request Forgery. The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
The SA-CORE-2020-005 is a PHP code execution security issue. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.
How To Patch It
- If you are using Drupal 7.x, upgrade to Drupal 7.72.
- If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
- If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
- If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.
Servers affected platforms
All the Bitnami Drupal solutions and Drupal-based solutions, CiviCRM and OpenAtrium, are affected by this issue. All of them have been already released in all the supported platforms: installers, virtual machines, cloud images, containers and Helm Charts.
If you have of these solutions deployed and they have not been updated yet to the latest version, you will need to follow the upgrade process described in our documentation.
Do you have more questions? Please post to our community forums so we can help you there.