CVE-2009-1507
Vulnerability from cvelistv5
Published
2009-05-01 17:00
Modified
2024-08-07 05:13
Severity ?
EPSS score ?
Summary
The Node Access User Reference module 5.x before 5.x-2.0-beta4 and 6.x before 6.x-2.0-beta6, a module for Drupal, interprets an empty CCK user reference as a reference to the anonymous user, which might allow remote attackers to bypass intended access restrictions to read or modify a node.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://drupal.org/node/449030 | Patch, Vendor Advisory | |
| cve@mitre.org | http://secunia.com/advisories/34955 | Vendor Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/34778 | Patch | |
| cve@mitre.org | http://www.vupen.com/english/advisories/2009/1212 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T05:13:25.753Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://drupal.org/node/449030"
},
{
"name": "34778",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/34778"
},
{
"name": "ADV-2009-1212",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/1212"
},
{
"name": "34955",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/34955"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-04-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Node Access User Reference module 5.x before 5.x-2.0-beta4 and 6.x before 6.x-2.0-beta6, a module for Drupal, interprets an empty CCK user reference as a reference to the anonymous user, which might allow remote attackers to bypass intended access restrictions to read or modify a node."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-05-13T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://drupal.org/node/449030"
},
{
"name": "34778",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/34778"
},
{
"name": "ADV-2009-1212",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/1212"
},
{
"name": "34955",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/34955"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-1507",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Node Access User Reference module 5.x before 5.x-2.0-beta4 and 6.x before 6.x-2.0-beta6, a module for Drupal, interprets an empty CCK user reference as a reference to the anonymous user, which might allow remote attackers to bypass intended access restrictions to read or modify a node."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://drupal.org/node/449030",
"refsource": "CONFIRM",
"url": "http://drupal.org/node/449030"
},
{
"name": "34778",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/34778"
},
{
"name": "ADV-2009-1212",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/1212"
},
{
"name": "34955",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/34955"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-1507",
"datePublished": "2009-05-01T17:00:00",
"dateReserved": "2009-05-01T00:00:00",
"dateUpdated": "2024-08-07T05:13:25.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2009-1507\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2009-05-01T17:30:00.547\",\"lastModified\":\"2009-05-13T05:28:03.140\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Node Access User Reference module 5.x before 5.x-2.0-beta4 and 6.x before 6.x-2.0-beta6, a module for Drupal, interprets an empty CCK user reference as a reference to the anonymous user, which might allow remote attackers to bypass intended access restrictions to read or modify a node.\"},{\"lang\":\"es\",\"value\":\"El m\u00f3dulo Node Access User Reference v5.x anterior a v5.x-2.0-beta4 y v6.x anterior a v6.x-2.0-beta6, un m\u00f3dulo para Drupal, interpreta un referencia a usuario CCK vac\u00eda como una referencia al usuario an\u00f3nimo, lo cual puede permitir a atacantes remotos eludir las restricciones de acceso para leer o modificar un nodo.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":7.5},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"799CA80B-F3FA-4183-A791-2071A7DA1E54\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:5.x-1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"258146DF-AE15-409C-BE70-725982EA136C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:5.x-1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A1007E9C-8634-4A8E-8A36-5F337F766BD6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:5.x-1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"30D3C011-FEBF-4435-8F9D-19B5187D090F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:5.x-1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B92368BC-20A6-42B5-889D-53AB1BA028B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:5.x-1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17D553E7-8EBB-4EAC-A9F3-E1524F7AA154\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:5.x-2.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"EAF88146-F2AB-4A49-BE0B-5EE56BF180DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:5.x-2.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7E6A50E4-6B5C-4683-B3F9-7FDEFB9F0CCA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:5.x-2.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2360CB4-D4F4-462D-B0BC-4E44C91D98E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:6.x-1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F30F5EBC-0350-4D2B-9145-DB9AF13A90AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:6.x-1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"942B1BC4-11AE-42F4-BD8D-83898432DC3C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:6.x-1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F7C7F90-9FEF-4D31-9643-5D92AF7F1D34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:6.x-1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BD0A18F6-8EE6-41D8-AF69-FFAABEB47661\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:6.x-1.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"66824B75-7E7E-45CA-9D9D-F916D4C8B9D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:6.x-1.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ADA0F06E-3674-4816-9BBE-8B1668B71E7C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:6.x-1.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E7AAAB4-D435-400E-8532-201A96EF93A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:6.x-2.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"2102783C-0725-4BC0-B809-BFB32E8E1330\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:6.x-2.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"08CD2483-246B-4987-B20B-383C0E1A989C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:6.x-2.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"00E69FB5-6D7E-4830-B371-C36D4F512030\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:6.x-2.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AEDC123-2E18-4181-A1D7-412641D2249A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:nodeaccess_userreference:6.x-2.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"5735D8E8-3B78-4ED4-80F5-5C5BC16658AF\"}]}]}],\"references\":[{\"url\":\"http://drupal.org/node/449030\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/34955\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/34778\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.vupen.com/english/advisories/2009/1212\",\"source\":\"cve@mitre.org\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.