Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Briefly

"Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as said. "This can lead to information disclosure, and in some cases, privilege escalation, remote code execution, or other attacks.""

"Drupal noted that the security flaw can be exploited by anonymous users, and impacts only sites that use PostgreSQL. The following versions address the issue - Drupal 7 isn't affected. The releases for supported branches (versions 11.3, 11.2, 10.6, and 10.5) include upstream security updates for Symfony and Twig, making it essential that the latest versions are installed."

"As previously disclosed by Drupal, manual patches have also been released for Drupal versions 9 and 8, which have reached end-of-life - "Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage," Drupal said. "Drupal 8 and Drupal 9 have both reached end-of-life.""

""Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities.""