Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.
This vulnerability can be exploited by anonymous users.
This SQL injection vulnerability only affects sites using PostgreSQL. However, the third-party dependency updates in these releases apply to all sites.
Upstream security advisories
The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities.
Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not. It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.
Install the latest version.
The following releases will be available as soon as automated release packaging is complete. You may receive a 404 in the interim. The updates may also be available on Packagist sooner.
Drupal 11
- If you use Drupal 11.3.x, update to Drupal 11.3.10.
- If you use Drupal 11.2.x, update to Drupal 11.2.12.
- If you use Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10.
Drupal 10
- If you use Drupal 10.6.x, update to Drupal 10.6.9.
- If you use Drupal 10.5.x, update to Drupal 10.5.10.
- If you use Drupal 10.4.x or earlier, update to Drupal 10.4.10.
Drupal 9 and 8
- If you use any version of Drupal 9, try manually applying the Drupal 9.5 patch for this issue.
- If you use Drupal 8.9, try manually applying the Drupal 8.9 patch for this issue.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities.
- Björn Brala (bbrala)
- Benji Fisher (benjifisher) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- Anna Kalata (akalata) of the Drupal Security Team
- Benji Fisher (benjifisher) of the Drupal Security Team
- catch (catch) of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Neil Drumm (drumm) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Heine Deelstra (heine) of the Drupal Security Team
- Tim Hestenes Lehnen (hestenet)
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Pierre Rudloff (prudloff) of the Drupal Security Team
- quietone (quietone)
- Jess (xjm) of the Drupal Security Team
- Cathy Theys (yesct) of the Drupal Security Team
