Vulnerability in Database Abstraction Layer
A significant security flaw has been discovered in Drupal Core that primarily affects websites using PostgreSQL databases. The issue resides in a database abstraction API that Drupal uses to validate queries and protect against SQL injection attacks. Due to a flaw in this API, an attacker can send specially crafted requests to bypass these protections, leading to arbitrary SQL injection. If exploited, this could result in information disclosure, privilege escalation, or even remote code execution. Importantly, the vulnerability can be triggered by anonymous users, meaning no authentication is required to attempt an attack.
Affected Versions and Patches
Drupal has released security updates to address this issue across multiple supported branches. Users should upgrade to Drupal 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, or 10.4.10, depending on their current version. The updates for supported branches also include upstream security fixes for Symfony and Twig, making it essential to install the latest versions promptly. For those running end-of-life versions (Drupal 9 and 8), manual patches have been provided as a best effort, though these unsupported branches still contain other known vulnerabilities. Organizations using PostgreSQL with Drupal are strongly advised to apply patches immediately to mitigate the risk of exploitation.
Source: The Hacker News
