Platform
drupal
Component
drupal
Fixed in
8.0.1
8.7.5
CVE-2019-6342 describes an access bypass vulnerability discovered in Drupal Core. This flaw allows attackers to circumvent access controls, potentially gaining unauthorized access to sensitive data and functionality. The vulnerability affects Drupal Core versions up to 8.7.4 and can be mitigated by disabling the experimental Workspaces module. A patch is available in version 8.7.5.
The impact of CVE-2019-6342 is significant due to the potential for complete access bypass. An attacker who successfully exploits this vulnerability can modify data, create or delete content, and potentially compromise the entire Drupal instance. This is particularly concerning for sites using the Workspaces module, as it provides a convenient way to create isolated development environments, which could be targeted to gain broader access. The ability to bypass access controls effectively grants an attacker administrative privileges, enabling them to perform any action within the Drupal system.
CVE-2019-6342 was publicly disclosed on January 11, 2024. While no active exploitation campaigns have been definitively linked to this vulnerability, the CRITICAL severity and ease of exploitation suggest it remains a significant risk. No public proof-of-concept exploits are widely available, but the simplicity of the bypass makes it likely that such exploits will emerge. It is not listed on the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.20% (42% percentile)
CVSS Vector
The primary mitigation for CVE-2019-6342 is to upgrade Drupal Core to version 8.7.5 or later. If upgrading immediately is not possible, disabling the Workspaces module provides a temporary workaround. This will prevent the vulnerability from being exploited, but will also disable the functionality provided by the module. Consider implementing stricter access controls and regularly reviewing user permissions to further reduce the attack surface. After upgrading, confirm the fix by attempting to access restricted areas of the Drupal site with a non-administrative user account; access should be denied.
Disable the Workspaces module. This issue only affects Drupal version 8.7.4.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-6342 is a critical vulnerability in Drupal Core versions up to 8.7.4 that allows attackers to bypass access controls when the Workspaces module is enabled, potentially granting unauthorized access.
You are affected if you are running Drupal Core version 8.7.4 or earlier and have the Workspaces module enabled. Upgrade to 8.7.5 or disable the Workspaces module to mitigate the risk.
The recommended fix is to upgrade Drupal Core to version 8.7.5 or later. As a temporary workaround, disable the Workspaces module until you can upgrade.
While no active exploitation campaigns have been confirmed, the vulnerability's criticality and ease of exploitation suggest it remains a significant risk. Monitor your systems for suspicious activity.
Refer to the official Drupal security advisory for detailed information and updates: https://www.drupal.org/security/advisories/cove-2019-6342
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.