====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN352
_____________________________________________________________________

DATE                : 18/06/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal core versions prior to 7.72,
                                      8.8.8, 8.9.1, 9.0.1.

=====================================================================
https://www.drupal.org/sa-core-2020-004
https://www.drupal.org/sa-core-2020-005
https://www.drupal.org/sa-core-2020-006
_____________________________________________________________________

Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004

Project: Drupal core
Date: 2020-June-17

Security risk:
Critical 15∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All


Vulnerability: Cross Site Request Forgery
CVE IDs: CVE-2020-13663


Description:

The Drupal core Form API does not properly handle certain form input
from cross-site requests, which can lead to other vulnerabilities.


Solution:

    If you are using Drupal 7.x, upgrade to Drupal 7.72.
    If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
    If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
    If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.8.


Reported By:

    Samuel Mortenson of the Drupal Security Team
    Dor Tumarkin

Fixed By:

    Greg Knaddison of the Drupal Security Team
    Samuel Mortenson of the Drupal Security Team
    Jess of the Drupal Security Team
    Lee Rowlands of the Drupal Security Team
    Angie Byron of the Drupal Security Team
    Peter Wolanin of the Drupal Security Team
    Daniel Wehner
    Dor Tumarkin
    Drew Webber of the Drupal Security Team
    Alex Pott of the Drupal Security Team
    David Snopek of the Drupal Security Team
    Brandon Bergren

_____________________________________________________________________

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005

Project: Drupal core
Date: 2020-June-17

Security risk:
Critical 17∕25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon

Vulnerability: Arbitrary PHP code execution
CVE IDs: CVE-2020-13664


Description:

Drupal 8 and 9 have a remote code execution vulnerability under certain
circumstances.

An attacker could trick an administrator into visiting a malicious site
that could result in creating a carefully named directory on the file
system. With this directory in place, an attacker could attempt to brute
force a remote code execution vulnerability.

Windows servers are most likely to be affected.


Solution:

Install the latest version:

    If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
    If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
    If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.8.


Reported By:

    Lorenzo G
    Sam Thomas


Fixed By:

    Jess of the Drupal Security Team
    Samuel Mortenson of the Drupal Security Team
    Peter Wolanin of the Drupal Security Team
    Lorenzo G
    Lee Rowlands of the Drupal Security Team
    Greg Knaddison of the Drupal Security Team
    Cash Williams of the Drupal Security Team
    Heine of the Drupal Security Team
    Drew Webber of the Drupal Security Team
    Alex Pott of the Drupal Security Team
    Gábor Hojtsy



_____________________________________________________________________

Drupal core - Less critical - Access bypass - SA-CORE-2020-006

Project: Drupal core
Date: 2020-June-17

Security risk:
Less critical 8∕25
AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon

Vulnerability: Access bypass
CVE IDs: CVE-2020-13665


Description:

JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible
to exploit the vulnerability. Only sites that have the read_only set to
FALSE under jsonapi.settings config are vulnerable.


Solution:

Install the latest version:

    If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
    If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
    If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage. Sites on 8.7.x or earlier should update to 8.8.8.


Reported By:

    Sergii Bondarenko


Fixed By:

    Sergii Bondarenko
    Wim Leers
    Jess of the Drupal Security Team
    Lee Rowlands of the Drupal Security Team




=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================