View online: https://www.drupal.org/SA-CORE-2017-002 * Advisory ID: DRUPAL-SA-CORE-2017-002 * Project: Drupal core [1] * Version: 8.x * Date: 2017-April-19 * CVEID: CVE-2017-6919 * Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This is a critical access bypass vulnerability. A site is only affected by this is the following conditions are met: * The site has the RESTful Web Services (rest) module enabled. * The site allows PATCH requests. * An attacker can get or register a user account on the site. While we don't normally provide security releases for unsupported minor releases [3], given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal 8 prior to 8.2.8 and 8.3.1. * Drupal 7.x is not affected. -------- SOLUTION ------------------------------------------------------------ * If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8. [5] * If the site is running Drupal 8.3.0, upgrade to 8.3.1. [6] Also see the Drupal core [7] project page. -------- REPORTED BY --------------------------------------------------------- * Samuel Mortenson [8] -------- FIXED BY ------------------------------------------------------------ * Alex Pott [9] of the Drupal Security Team * xjm [10] of the Drupal Security Team * Lee Rowlands [11] of the Drupal Security Team * Wim Leers [12] * Sascha Grossenbacher [13] * Daniel Wehner [14] * Tobias Stöckler [15] * Nathaniel Catchpole [16] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * The Drupal Security team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [17]. Learn more about the Drupal Security team and their policies [18], writing secure code for Drupal [19], and securing your site [20]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [21] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/core/release-cycle-overview [4] http://cve.mitre.org/ [5] https://www.drupal.org/project/drupal/releases/8.2.8 [6] https://www.drupal.org/project/drupal/releases/8.3.1 [7] https://www.drupal.org/project/drupal [8] https://www.drupal.org/u/samuelmortenson [9] https://www.drupal.org/u/alexpott [10] https://www.drupal.org/u/xjm [11] https://www.drupal.org/u/larowlan [12] https://www.drupal.org/u/wim-leers [13] https://www.drupal.org/u/Berdir [14] https://www.drupal.org/u/dawehner [15] https://www.drupal.org/u/tstoeckler [16] https://www.drupal.org/u/catch [17] https://www.drupal.org/contact [18] https://www.drupal.org/security-team [19] https://www.drupal.org/writing-secure-code [20] https://www.drupal.org/security/secure-configuration [21] https://twitter.com/drupalsecurity