CVE-2018-14773: 3rd-party libraries bug allows attacker to take full control of the affected Drupal websites
Vulnerabilities in the Symfony component were tracked as CVE-2018-14773, which could be exploited by attackers to take complete control of the affected Drupal site. A hacker can use this bug to attack the Drupal website by using a specially crafted “X-Original-URL” or “X-Rewrite-URL” HTTP header.
Drupal’s maintenance staff solved the security bypass vulnerability by releasing a new version of the popular content management system version 8.5.6.
“The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue. The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality.”
CVE-2018-14773
Affected version
- Symfony 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13 and 4.1.0 to 4.1.2
- Drupal 8.x versions before 8.5.6
Unaffected version
- Symfony 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14 and 4.1.3
- Drupal 8.5.6
Solution
Upgrade to the unaffected version.
