Drupal Security Team issued a Monday PSA warning of a highly critical vulnerability in Drupal core and urged users to reserve time to install the fix immediately on Wednesday, May 20 between 1700 and 2100 UTC. The PSA provides no technical specifics until the patch release window. The vulnerability affects Drupal core, not the preconfigured Drupal CMS. Sites using Drupal Steward are protected against known attack vectors, but updates are still recommended in case new exploit methods appear. Drupal advises updating to the latest supported release before the security window to address other upgrade issues. The vulnerability severity score is 20 out of 25 using NIST-based scoring, and exploitation is described as trivially easy without requiring privileges.
"If you use Drupal, get ready to patch without delay. The org behind the popular open source content management system is warning of a highly critical vulnerability in Drupal core that is serious enough for it to tell users ahead of Wednesday's patch release to set aside time to install the fix immediately."
"The Drupal Security Team's Monday PSA announcing the imminent patch for Drupal core doesn't include any specifics, with the PSA noting that Drupal isn't willing to share additional information until the announcement is made alongside the patch release. That, says Drupal, will happen at some point between 1700 and 2100 UTC on Wednesday, May 20."
"The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Drupal also recommends users update to the latest supported release prior to Wednesday's patch "so that you can address any other upgrade issues before the security window.""
"Drupal noted that sites using Drupal Steward, its paid web application firewall service, are protected against known attack vectors, though it still recommends Steward customers update their core instances in case additional exploit methods emerge. While it won't get specific on the nature of the vulnerability, Drupal did share its severity score based on NIST's standard scoring methodology, and it's not good: The bug scored 20 out of a max of 25."
Read at theregister
Unable to calculate read time
Collection
[
|
...
]