Drupal 8.6.x < 8.6.10 RCE (SA-CORE-2019-003)
Critical Nessus Network Monitor Plugin ID 700420
SynopsisThe remote server is hosting an outdated installation of Drupal that is vulnerable to a critical remote code execution attack vector.
DescriptionThe version of Drupal installed on the remote server is 8.6.x prior to 8.6.10, and is affected by a flaw in the 'Memcache::getextendedstats' function that can be used to trigger an out-of-bounds read. Exploiting this issue requires control over memcached server hostnames and/or ports. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code.
SolutionUpgrade to Drupal 8.6.10 or later.