[Security-news] Drupal Core - Critical - Access Bypass - SA-CORE-2017-002

security-news at drupal.org security-news at drupal.org
Wed Apr 19 17:59:35 UTC 2017


View online: https://www.drupal.org/SA-CORE-2017-002

   * Advisory ID: DRUPAL-SA-CORE-2017-002
   * Project: Drupal core [1]
   * Version: 8.x
   * Date: 2017-April-19
   * CVEID: CVE-2017-6919
   * Security risk: 17/25 ( Critical)
     AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
   * Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

This is a critical access bypass vulnerability. A site is only affected by
this is the following conditions are met:

   * The site has the RESTful Web Services (rest) module enabled.
   * The site allows PATCH requests.
   * An attacker can get or register a user account on the site.

While we don't normally provide security releases for unsupported minor
releases [3], given the potential severity of this issue, we have also
provided an 8.2.x release to ensure that sites that have not had a chance to
update to 8.3.0 can update safely.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

   * /A CVE identifier [4] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

   * Drupal 8 prior to 8.2.8 and 8.3.1.
   * Drupal 7.x is not affected.

-------- SOLUTION
------------------------------------------------------------

   * If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8. [5]
   * If the site is running Drupal 8.3.0, upgrade to 8.3.1. [6]

Also see the Drupal core [7] project page.

-------- REPORTED BY
---------------------------------------------------------

   * Samuel Mortenson [8]

-------- FIXED BY
------------------------------------------------------------

   * Alex Pott [9] of the Drupal Security Team
   * xjm [10] of the Drupal Security Team
   * Lee Rowlands [11] of the Drupal Security Team
   * Wim Leers [12]
   * Sascha Grossenbacher [13]
   * Daniel Wehner [14]
   * Tobias Stöckler [15]
   * Nathaniel Catchpole [16] of the Drupal Security Team

-------- COORDINATED BY
------------------------------------------------------

   * The Drupal Security team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [17].

Learn more about the Drupal Security team and their policies [18], writing
secure code for Drupal [19], and  securing your site [20].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [21]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/core/release-cycle-overview
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/drupal/releases/8.2.8
[6] https://www.drupal.org/project/drupal/releases/8.3.1
[7] https://www.drupal.org/project/drupal
[8] https://www.drupal.org/u/samuelmortenson
[9] https://www.drupal.org/u/alexpott
[10] https://www.drupal.org/u/xjm
[11] https://www.drupal.org/u/larowlan
[12] https://www.drupal.org/u/wim-leers
[13] https://www.drupal.org/u/Berdir
[14] https://www.drupal.org/u/dawehner
[15] https://www.drupal.org/u/tstoeckler
[16] https://www.drupal.org/u/catch
[17] https://www.drupal.org/contact
[18] https://www.drupal.org/security-team
[19] https://www.drupal.org/writing-secure-code
[20] https://www.drupal.org/security/secure-configuration
[21] https://twitter.com/drupalsecurity



More information about the Security-news mailing list