[Security-news] Drupal Core - Critical - Access Bypass - SA-CORE-2017-002
security-news at drupal.org
security-news at drupal.org
Wed Apr 19 17:59:35 UTC 2017
View online: https://www.drupal.org/SA-CORE-2017-002
* Advisory ID: DRUPAL-SA-CORE-2017-002
* Project: Drupal core [1]
* Version: 8.x
* Date: 2017-April-19
* CVEID: CVE-2017-6919
* Security risk: 17/25 ( Critical)
AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This is a critical access bypass vulnerability. A site is only affected by
this is the following conditions are met:
* The site has the RESTful Web Services (rest) module enabled.
* The site allows PATCH requests.
* An attacker can get or register a user account on the site.
While we don't normally provide security releases for unsupported minor
releases [3], given the potential severity of this issue, we have also
provided an 8.2.x release to ensure that sites that have not had a chance to
update to 8.3.0 can update safely.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [4] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal 8 prior to 8.2.8 and 8.3.1.
* Drupal 7.x is not affected.
-------- SOLUTION
------------------------------------------------------------
* If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8. [5]
* If the site is running Drupal 8.3.0, upgrade to 8.3.1. [6]
Also see the Drupal core [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Samuel Mortenson [8]
-------- FIXED BY
------------------------------------------------------------
* Alex Pott [9] of the Drupal Security Team
* xjm [10] of the Drupal Security Team
* Lee Rowlands [11] of the Drupal Security Team
* Wim Leers [12]
* Sascha Grossenbacher [13]
* Daniel Wehner [14]
* Tobias Stöckler [15]
* Nathaniel Catchpole [16] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* The Drupal Security team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [17].
Learn more about the Drupal Security team and their policies [18], writing
secure code for Drupal [19], and securing your site [20].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [21]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/core/release-cycle-overview
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/drupal/releases/8.2.8
[6] https://www.drupal.org/project/drupal/releases/8.3.1
[7] https://www.drupal.org/project/drupal
[8] https://www.drupal.org/u/samuelmortenson
[9] https://www.drupal.org/u/alexpott
[10] https://www.drupal.org/u/xjm
[11] https://www.drupal.org/u/larowlan
[12] https://www.drupal.org/u/wim-leers
[13] https://www.drupal.org/u/Berdir
[14] https://www.drupal.org/u/dawehner
[15] https://www.drupal.org/u/tstoeckler
[16] https://www.drupal.org/u/catch
[17] https://www.drupal.org/contact
[18] https://www.drupal.org/security-team
[19] https://www.drupal.org/writing-secure-code
[20] https://www.drupal.org/security/secure-configuration
[21] https://twitter.com/drupalsecurity
More information about the Security-news
mailing list