Drupal 8.5.x < 8.5.11 RCE (SA-CORE-2019-003)
Critical Nessus Network Monitor Plugin ID 700419
SynopsisThe remote server is hosting an outdated installation of Drupal that is vulnerable to a critical remote code execution attack vector.
DescriptionThe version of Drupal installed on the remote server is 8.5.x prior to 8.5.11, and is affected by a flaw in the 'Memcache::getextendedstats' function that can be used to trigger an out-of-bounds read. Exploiting this issue requires control over memcached server hostnames and/or ports. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code.
SolutionUpgrade to Drupal 8.5.11 or later.