Drupal 8 and 9 core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005

Project: Drupal core
Date: 2020-June-17
Security risk: Critical 17∕25 
Vulnerability: Arbitrary PHP code execution
CVE IDs: CVE-2020-13664

Description

Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances.

An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.

Windows servers are most likely to be affected.

Solution

Install the latest version:

If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.