CVE-2017-6919
HIGH7.5EPSS 0.60%Drupal access control bypass vulnerability
Published: 5/13/2022Modified: 4/23/2024
Description
Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.
Affected packages (2)
- Packagist/drupal/core>= 8.0, < 8.2.8
- Packagist/drupal/drupal>= 8.0, < 8.2.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-6919
- PATCHhttps://github.com/drupal/core
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6919.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6919.yaml
- WEBhttps://www.drupal.org/SA-2017-002
- WEBhttps://www.drupal.org/SA-CORE-2017-002
- WEBhttp://www.securityfocus.com/bid/97941
- WEBhttp://www.securitytracker.com/id/1038371