[Security-news] Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001

security-news at drupal.org security-news at drupal.org
Wed Mar 15 20:34:42 UTC 2017 

View online: https://www.drupal.org/SA-2017-001

Drupal 8.2.7, a maintenance release which contains fixes for security
vulnerabilities, is now available for download.

Download Drupal 8.2.7 [1]

*Upgrading [2] your existing Drupal 8 sites is strongly recommended.* There
are no new features nor non-security-related bug fixes in this release. See
the 8.2.7 release notes [3] for details on important changes and known issues
affecting this release. Read on for details of the security vulnerabilities
that were fixed in this release.
   * Advisory ID: DRUPAL-SA-CORE-2017-001
   * Project: Drupal core [4]
   * Version: 7.x, 8.x
   * Date: 2017-March-15

-------- DESCRIPTION
---------------------------------------------------------

.. Editor module incorrectly checks access to inline private files - Drupal 8
     - Access Bypass - Critical - CVE-2017-6377

When adding a private file via a configured text editor (like CKEditor), the
editor will not correctly check access for the file being attached, resulting
in an access bypass.

.. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross
     Site Request Forgery -  Moderately Critical - CVE-2017-6379

Some administrative paths did not include protection for CSRF.  This would
allow an attacker to disable some blocks on a site. This issue is mitigated
by the fact that users would have to know the block ID.

.. Remote code execution - Drupal 8 - Remote code execution - Moderately
     Critical -  CVE-2017-6381

A 3rd party development library including with Drupal 8 development
dependencies is vulnerable to remote  code execution.

This is mitigated by the default .htaccess protection against PHP execution,
and the fact that Composer development dependencies aren't normal installed.

You might be vulnerable to this if you are running a version of Drupal before
8.2.2.  To be sure you aren’t vulnerable, you can remove the
/vendor/phpunit  directory from the site root of your production deployments.

-------- SOLUTION
------------------------------------------------------------

Upgrade to Drupal 8.2.7
-------- REPORTED BY
---------------------------------------------------------

.. Editor module incorrectly checks access to inline private files - Drupal 8
     - Access Bypass - Critical - CVE-2017-6377

   * Casey [5]

.. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross
     Site Request Forgery - Moderately Critical - CVE-2017-6379

   * Samuel Mortenson [6]

.. Remote code execution - Drupal 8 - Remote code execution - Moderately
     Critical -  CVE-2017-6381

   * Timo Hilsdorf [7]

-------- FIXED BY
------------------------------------------------------------

.. Editor module incorrectly checks access to inline private files - Drupal 8
     - Access Bypass - Critical - CVE-2017-6377

   * László Csécsy [8]
   * Wim Leers [9]
   * Alex Pott [10] of the Drupal Security Team
   * Klaus Purer [11] of the Drupal Security Team

.. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross
     Site Request Forgery - Moderately Critical - CVE-2017-6379

   * Samuel Mortenson [12]
   * Sascha Grossenbacher

.. Remote code execution - Drupal 8 - Remote code execution -Moderately
     Critical -  CVE-2017-6381

   * Klaus Purer [13]  Of the Drupal Security Team
   * Mixologic  [14]

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [15].

Learn more about the Drupal Security team and their policies [16], writing
secure code for Drupal [17], and  securing your site [18].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [19]


[1] http://ftp.drupal.org/files/projects/drupal-8.2.7.tar.gz
[2] https://www.drupal.org/upgrade
[3] https://www.drupal.org/project/drupal/releases/8.2.7
[4] https://www.drupal.org/project/drupal
[5] https://www.drupal.org/u/casey
[6] http://drupal.org/u/samuel.mortenson
[7] https://www.drupal.org/user/3506593
[8] https://www.drupal.org/u/Boobaa
[9] https://www.drupal.org/u/wim-leers
[10] https://www.drupal.org/u/alexpott
[11] https://www.drupal.org/u/klausi
[12] https://www.drupal.org/u/samuel.mortenson
[13] https://www.drupal.org/u/klausi
[14] https://www.drupal.org/u/Mixologic
[15] https://www.drupal.org/contact
[16] https://www.drupal.org/security-team
[17] https://www.drupal.org/writing-secure-code
[18] https://www.drupal.org/security/secure-configuration
[19] https://twitter.com/drupalsecurity

More information about the Security-news mailing list