Published on: 21 February 2019
Last update on: 27 February 2019
Drupal released security updates to fix the vulnerability resided in the Drupal Core and its modules. An attacker could send a specially crafted PUT/PATCH/POST request to a vulnerable system to exploit the vulnerability.
Report indicates that active exploitation against the vulnerability (CVE-2019-6340) has been observed. Users are advised to take immediate action to patch your affected systems and update all affected contributed modules to mitigate the elevated risk of cyber attacks.
Please note that no security updates will be provided for the versions of Drupal 8 prior to 8.5.x. Users should upgrade the Drupal to a supported branch or arrange migrating to other supported technology.
A successful attack could lead to remote code execution on an affected system.
The product vendor has released patches to address the issues.
https://thehackernews.com/2019/02/drupal-hacking-exploit.html
https://www.imperva.com/blog/latest-drupal-rce-flaw-used-by-cryptocurrency-miners-and-other-attackers/
https://www.drupal.org/sa-core-2019-003
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340