Vulnerability-Lookup

CVE-2017-6919 (GCVE-0-2017-6919)

Vulnerability from cvelistv5 – Published: 2017-04-20 02:43 – Updated: 2024-08-05 15:49

Summary

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

Severity ?

No CVSS data available.

CWE

access bypass

Assigner

drupal

References

URL

Tags

	http://www.securityfocus.com/bid/97941	vdb-entryx_refsource_BID
	https://www.drupal.org/SA-CORE-2017-002	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1038371	vdb-entryx_refsource_SECTRACK

Impacted products

	Vendor	Product	Version
	n/a	Drupal	Affected: Drupal

Date Public ?

2017-04-19 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T15:49:02.380Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "97941",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97941"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.drupal.org/SA-CORE-2017-002"
          },
          {
            "name": "1038371",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038371"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Drupal",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Drupal"
            }
          ]
        }
      ],
      "datePublic": "2017-04-19T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "access bypass",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-07-10T09:57:01.000Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "name": "97941",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97941"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.drupal.org/SA-CORE-2017-002"
        },
        {
          "name": "1038371",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038371"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@drupal.org",
          "ID": "CVE-2017-6919",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Drupal",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Drupal"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "access bypass"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "97941",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97941"
            },
            {
              "name": "https://www.drupal.org/SA-CORE-2017-002",
              "refsource": "CONFIRM",
              "url": "https://www.drupal.org/SA-CORE-2017-002"
            },
            {
              "name": "1038371",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038371"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2017-6919",
    "datePublished": "2017-04-20T02:43:00.000Z",
    "dateReserved": "2017-03-16T00:00:00.000Z",
    "dateUpdated": "2024-08-05T15:49:02.380Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2017-6919",
      "date": "2026-04-27",
      "epss": "0.00598",
      "percentile": "0.69472"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3C20DAD7-13A7-40F7-B6E0-965DB4E14508\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha10:*:*:*:*:*:*\", \"matchCriteriaId\": \"144694E6-3287-4F4D-A687-7F495133DBA2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha11:*:*:*:*:*:*\", \"matchCriteriaId\": \"581D686B-1061-4271-BEF4-17A429BD666A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha12:*:*:*:*:*:*\", \"matchCriteriaId\": \"E3E45AA6-5FAF-4C63-91F5-0765CE60191A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha13:*:*:*:*:*:*\", \"matchCriteriaId\": \"FE5D81CF-AE7B-4A9C-AD8F-9A19D2AC35DA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha14:*:*:*:*:*:*\", \"matchCriteriaId\": \"A27535A5-7C4F-4548-A4B8-5FFBD58361D7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha15:*:*:*:*:*:*\", \"matchCriteriaId\": \"17BC6508-3518-4BB5-B29F-4E6CB6DE9D44\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha2:*:*:*:*:*:*\", \"matchCriteriaId\": \"8CBB5620-5847-443F-8356-B66EE93A3779\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha3:*:*:*:*:*:*\", \"matchCriteriaId\": \"3E81260D-E0D2-4FD2-AAED-99945404EB00\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha4:*:*:*:*:*:*\", \"matchCriteriaId\": \"5A7D34E6-76E0-4BCB-A4C8-9401C7331EF4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha5:*:*:*:*:*:*\", \"matchCriteriaId\": \"201E2EA9-B811-4BB2-867A-6F12DC472911\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha6:*:*:*:*:*:*\", \"matchCriteriaId\": \"C957B189-10C2-4D42-B5B9-03F7DE287C8B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha7:*:*:*:*:*:*\", \"matchCriteriaId\": \"A7E21838-CDEC-41B2-AE40-C78DE8984B6F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha8:*:*:*:*:*:*\", \"matchCriteriaId\": \"639F0284-85D1-40B0-B337-77632E7A664B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:alpha9:*:*:*:*:*:*\", \"matchCriteriaId\": \"5F4B611A-3628-41EA-878D-BF9D6C34AA83\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"856E46E5-1BF3-42F4-AFCB-81275B1EF265\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta10:*:*:*:*:*:*\", \"matchCriteriaId\": \"B351F769-598F-4E3E-99EA-94A5516995A2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta11:*:*:*:*:*:*\", \"matchCriteriaId\": \"220900E6-5859-4CA9-831E-3FF3C128F060\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta12:*:*:*:*:*:*\", \"matchCriteriaId\": \"0D55D51E-DE2D-469C-9F9C-F312A02EE921\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta13:*:*:*:*:*:*\", \"matchCriteriaId\": \"259B5FE7-2808-4F61-B98C-73ECC7F9503C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta14:*:*:*:*:*:*\", \"matchCriteriaId\": \"BA263BE6-2088-4E18-914B-96CFAA0093E0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta15:*:*:*:*:*:*\", \"matchCriteriaId\": \"906AED87-8C5C-4214-B5AD-43E5573E357A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta16:*:*:*:*:*:*\", \"matchCriteriaId\": \"E150FDA8-5271-465C-8DE0-F44E9FC81E90\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta2:*:*:*:*:*:*\", \"matchCriteriaId\": \"4E036D4F-BD94-4F77-883C-165B3F0802C0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta3:*:*:*:*:*:*\", \"matchCriteriaId\": \"7A7068F8-810D-4720-9E0E-06DB1DD366ED\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta4:*:*:*:*:*:*\", \"matchCriteriaId\": \"443183F6-9EF5-41AE-8AD0-B304BBF1670A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta6:*:*:*:*:*:*\", \"matchCriteriaId\": \"58C5EF43-E24F-4BDB-9496-16DE4EEF3E67\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta7:*:*:*:*:*:*\", \"matchCriteriaId\": \"B00B494B-736A-47A7-ACF3-81368C033086\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:beta9:*:*:*:*:*:*\", \"matchCriteriaId\": \"E275F22B-7A46-4107-BE6F-6C4D7EAA46FC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"63530139-7EF2-4210-9870-B06175ECBC58\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"ED085089-51D6-4E5C-96E8-CC5C7C55CC97\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"36FC67CE-9C45-4842-81AF-EEAE557D70D8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.0:rc4:*:*:*:*:*:*\", \"matchCriteriaId\": \"5FE6AC83-B248-4491-A320-836C65E64D6A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"99D7F3C7-3EC6-48D2-A8D5-1F987FD74A20\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"434D4D80-44C0-4278-A09B-005A599F4658\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2CF1BC91-4A24-40FC-8EEC-E4FAD624C2CD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"43067661-B562-41BC-B272-8A79075291B9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EA9EF375-AE7C-4900-A992-C635228889E4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.0.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"53FA0C7F-000A-4CB4-86E3-DEC0C9DCA1BB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E39B2B71-C1B8-4A16-88FE-D691CC3C9BE8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"535BC461-E9B1-4124-8125-1D9F91CF4F68\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.0:beta2:*:*:*:*:*:*\", \"matchCriteriaId\": \"06F63C7F-CE02-428D-90CD-05B726C0026D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"F18278D5-A30B-4624-AC64-CA39F92EB8C2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B3F72CAF-2BCA-454D-B8AC-951EC566A965\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E0C7CB5D-CE55-4628-957D-3D2C5EE2353B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C9E1FBB4-D63F-4AA0-ADE3-70527F4D84A2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9D2D1BF3-879B-44C5-B3A0-2E91B27BFF29\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D2BB7835-2BFD-4182-B112-7E8A9FF2449C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80CE2090-A5AF-47B8-BB7D-727FFF093413\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8B28527E-92CB-4171-8EE3-9187C3F44EC5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3CB85396-4D94-4752-A134-A1644C707777\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F6802D01-6220-4EBE-B267-10DC14E6D186\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.1.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EAD4EC47-7DD8-443B-8821-DFAE03FE2FD8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DA084D8B-FEFC-41D5-A384-1DCB297CC1A6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"5F5756FE-158A-4194-9E5E-EA918C4A3D1E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.0:beta2:*:*:*:*:*:*\", \"matchCriteriaId\": \"F344F3CE-C45E-4C3A-9F48-DAA0F2A49137\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.0:beta3:*:*:*:*:*:*\", \"matchCriteriaId\": \"45C7BA91-93C2-4615-8A4D-11702FF5A155\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"615DED7F-691F-4EF8-BE82-6E51B4971BFC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.0:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"467F335F-6FA1-413F-995F-29136658D969\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BABC38A1-0034-4CDE-B580-8026D6E0FE39\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EFA63C78-B234-4EBA-99A2-070213D1DA19\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"997EF82A-B6C0-403A-BA58-E174FF2D981F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FAE56E4F-47D3-41F4-951E-3E4BBE74B6D9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8601673A-8FF8-4430-BB24-038443E1CED8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AFD82372-D143-4AE7-8FE0-40FFD8F3E153\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.2.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BCA00E55-32EB-41D7-B6FB-756738E4F9F5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FEE90095-47A7-425E-8D9E-20D974647813\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.3.0:alpha1:*:*:*:*:*:*\", \"matchCriteriaId\": \"75FFBFC9-8D65-40E5-B6D5-53A945247518\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.3.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"4E1A0582-A538-4FB7-A358-52C79266B383\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.3.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"5B740914-9270-4FF5-93F6-99A51FF9C012\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:drupal:drupal:8.3.0:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"8D1FDCC9-ABC7-442D-8D84-82BEFD4D380D\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.\"}, {\"lang\": \"es\", \"value\": \"Drupal 8 en versiones anteriores a 8.2.8 y 8.3 en versiones anteriores a 8.3.1 permite elusi\\u00f3n de acceso cr\\u00edtica por usuarios autenticados si el m\\u00f3dulo RESTful Web Services (resto) est\\u00e1 habilitado y el sitio permite solicitudes PATCH.\"}]",
      "id": "CVE-2017-6919",
      "lastModified": "2024-11-21T03:30:48.660",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 6.8, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2017-04-20T02:59:00.143",
      "references": "[{\"url\": \"http://www.securityfocus.com/bid/97941\", \"source\": \"mlhess@drupal.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1038371\", \"source\": \"mlhess@drupal.org\"}, {\"url\": \"https://www.drupal.org/SA-CORE-2017-002\", \"source\": \"mlhess@drupal.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/97941\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1038371\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.drupal.org/SA-CORE-2017-002\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "mlhess@drupal.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-6919\",\"sourceIdentifier\":\"mlhess@drupal.org\",\"published\":\"2017-04-20T02:59:00.143\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.\"},{\"lang\":\"es\",\"value\":\"Drupal 8 en versiones anteriores a 8.2.8 y 8.3 en versiones anteriores a 8.3.1 permite elusi\u00f3n de acceso cr\u00edtica por usuarios autenticados si el m\u00f3dulo RESTful Web Services (resto) est\u00e1 habilitado y el sitio permite solicitudes PATCH.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"baseScore\":6.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C20DAD7-13A7-40F7-B6E0-965DB4E14508\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha10:*:*:*:*:*:*\",\"matchCriteriaId\":\"144694E6-3287-4F4D-A687-7F495133DBA2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha11:*:*:*:*:*:*\",\"matchCriteriaId\":\"581D686B-1061-4271-BEF4-17A429BD666A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha12:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3E45AA6-5FAF-4C63-91F5-0765CE60191A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha13:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE5D81CF-AE7B-4A9C-AD8F-9A19D2AC35DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha14:*:*:*:*:*:*\",\"matchCriteriaId\":\"A27535A5-7C4F-4548-A4B8-5FFBD58361D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha15:*:*:*:*:*:*\",\"matchCriteriaId\":\"17BC6508-3518-4BB5-B29F-4E6CB6DE9D44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha2:*:*:*:*:*:*\",\"matchCriteriaId\":\"8CBB5620-5847-443F-8356-B66EE93A3779\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3E81260D-E0D2-4FD2-AAED-99945404EB00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha4:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A7D34E6-76E0-4BCB-A4C8-9401C7331EF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha5:*:*:*:*:*:*\",\"matchCriteriaId\":\"201E2EA9-B811-4BB2-867A-6F12DC472911\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha6:*:*:*:*:*:*\",\"matchCriteriaId\":\"C957B189-10C2-4D42-B5B9-03F7DE287C8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha7:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7E21838-CDEC-41B2-AE40-C78DE8984B6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha8:*:*:*:*:*:*\",\"matchCriteriaId\":\"639F0284-85D1-40B0-B337-77632E7A664B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha9:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F4B611A-3628-41EA-878D-BF9D6C34AA83\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"856E46E5-1BF3-42F4-AFCB-81275B1EF265\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta10:*:*:*:*:*:*\",\"matchCriteriaId\":\"B351F769-598F-4E3E-99EA-94A5516995A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta11:*:*:*:*:*:*\",\"matchCriteriaId\":\"220900E6-5859-4CA9-831E-3FF3C128F060\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta12:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D55D51E-DE2D-469C-9F9C-F312A02EE921\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta13:*:*:*:*:*:*\",\"matchCriteriaId\":\"259B5FE7-2808-4F61-B98C-73ECC7F9503C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta14:*:*:*:*:*:*\",\"matchCriteriaId\":\"BA263BE6-2088-4E18-914B-96CFAA0093E0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta15:*:*:*:*:*:*\",\"matchCriteriaId\":\"906AED87-8C5C-4214-B5AD-43E5573E357A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta16:*:*:*:*:*:*\",\"matchCriteriaId\":\"E150FDA8-5271-465C-8DE0-F44E9FC81E90\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E036D4F-BD94-4F77-883C-165B3F0802C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A7068F8-810D-4720-9E0E-06DB1DD366ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"443183F6-9EF5-41AE-8AD0-B304BBF1670A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"58C5EF43-E24F-4BDB-9496-16DE4EEF3E67\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"B00B494B-736A-47A7-ACF3-81368C033086\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta9:*:*:*:*:*:*\",\"matchCriteriaId\":\"E275F22B-7A46-4107-BE6F-6C4D7EAA46FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"63530139-7EF2-4210-9870-B06175ECBC58\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED085089-51D6-4E5C-96E8-CC5C7C55CC97\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"36FC67CE-9C45-4842-81AF-EEAE557D70D8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"5FE6AC83-B248-4491-A320-836C65E64D6A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99D7F3C7-3EC6-48D2-A8D5-1F987FD74A20\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"434D4D80-44C0-4278-A09B-005A599F4658\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2CF1BC91-4A24-40FC-8EEC-E4FAD624C2CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"43067661-B562-41BC-B272-8A79075291B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EA9EF375-AE7C-4900-A992-C635228889E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"53FA0C7F-000A-4CB4-86E3-DEC0C9DCA1BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E39B2B71-C1B8-4A16-88FE-D691CC3C9BE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"535BC461-E9B1-4124-8125-1D9F91CF4F68\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"06F63C7F-CE02-428D-90CD-05B726C0026D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F18278D5-A30B-4624-AC64-CA39F92EB8C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B3F72CAF-2BCA-454D-B8AC-951EC566A965\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0C7CB5D-CE55-4628-957D-3D2C5EE2353B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9E1FBB4-D63F-4AA0-ADE3-70527F4D84A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D2D1BF3-879B-44C5-B3A0-2E91B27BFF29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D2BB7835-2BFD-4182-B112-7E8A9FF2449C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80CE2090-A5AF-47B8-BB7D-727FFF093413\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B28527E-92CB-4171-8EE3-9187C3F44EC5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CB85396-4D94-4752-A134-A1644C707777\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F6802D01-6220-4EBE-B267-10DC14E6D186\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EAD4EC47-7DD8-443B-8821-DFAE03FE2FD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DA084D8B-FEFC-41D5-A384-1DCB297CC1A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F5756FE-158A-4194-9E5E-EA918C4A3D1E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"F344F3CE-C45E-4C3A-9F48-DAA0F2A49137\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"45C7BA91-93C2-4615-8A4D-11702FF5A155\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"615DED7F-691F-4EF8-BE82-6E51B4971BFC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"467F335F-6FA1-413F-995F-29136658D969\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BABC38A1-0034-4CDE-B580-8026D6E0FE39\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EFA63C78-B234-4EBA-99A2-070213D1DA19\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"997EF82A-B6C0-403A-BA58-E174FF2D981F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FAE56E4F-47D3-41F4-951E-3E4BBE74B6D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8601673A-8FF8-4430-BB24-038443E1CED8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AFD82372-D143-4AE7-8FE0-40FFD8F3E153\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.2.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BCA00E55-32EB-41D7-B6FB-756738E4F9F5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FEE90095-47A7-425E-8D9E-20D974647813\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.3.0:alpha1:*:*:*:*:*:*\",\"matchCriteriaId\":\"75FFBFC9-8D65-40E5-B6D5-53A945247518\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.3.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E1A0582-A538-4FB7-A358-52C79266B383\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.3.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"5B740914-9270-4FF5-93F6-99A51FF9C012\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.3.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D1FDCC9-ABC7-442D-8D84-82BEFD4D380D\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/97941\",\"source\":\"mlhess@drupal.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1038371\",\"source\":\"mlhess@drupal.org\"},{\"url\":\"https://www.drupal.org/SA-CORE-2017-002\",\"source\":\"mlhess@drupal.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/97941\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1038371\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.drupal.org/SA-CORE-2017-002\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2017-05283

Vulnerability from cnvd - Published: 2017-04-25

Title

Drupal Core权限绕过漏洞

Description

Drupal是Drupal社区所维护的一套用PHP语言开发的免费、开源的内容管理系统。 Drupal Core 8.2.8之前的8版本和8.3.1之前的8.3版本中存在权限绕过漏洞。如果启用了RESTful Web Services (rest)模块，该站点允许PATCH请求，且攻击者可以注册或访问用户帐户，则允许攻击者利用漏洞绕过安全限制，执行未授权操作。

Severity

中

Patch Name

Drupal RESTful Web Services模块权限绕过漏洞的补丁

Patch Description

Drupal是Drupal社区所维护的一套用PHP语言开发的免费、开源的内容管理系统。 Drupal 8.2.8之前的8版本和8.3.1之前的8.3版本中的RESTful Web Services模块存在权限绕过漏洞。攻击者可利用该漏洞获取用户帐户并绕过访问权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.drupal.org/SA-CORE-2017-002

Reference

https://www.drupal.org/SA-CORE-2017-002 http://www.securityfocus.com/bid/97941

Impacted products

Name
['Drupal Drupal 8<，8.2.8', 'Drupal Drupal 8.3，<8.3.1']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "97941"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-6919"
    }
  },
  "description": "Drupal\u662fDrupal\u793e\u533a\u6240\u7ef4\u62a4\u7684\u4e00\u5957\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u514d\u8d39\u3001\u5f00\u6e90\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nDrupal Core 8.2.8\u4e4b\u524d\u76848\u7248\u672c\u548c8.3.1\u4e4b\u524d\u76848.3\u7248\u672c\u4e2d\u5b58\u5728\u6743\u9650\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u5982\u679c\u542f\u7528\u4e86RESTful Web Services (rest)\u6a21\u5757\uff0c\u8be5\u7ad9\u70b9\u5141\u8bb8PATCH\u8bf7\u6c42\uff0c\u4e14\u653b\u51fb\u8005\u53ef\u4ee5\u6ce8\u518c\u6216\u8bbf\u95ee\u7528\u6237\u5e10\u6237\uff0c\u5219\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\uff0c\u6267\u884c\u672a\u6388\u6743\u64cd\u4f5c\u3002",
  "discovererName": "Samuel Mortenson",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.drupal.org/SA-CORE-2017-002",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-05283",
  "openTime": "2017-04-25",
  "patchDescription": "Drupal\u662fDrupal\u793e\u533a\u6240\u7ef4\u62a4\u7684\u4e00\u5957\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u514d\u8d39\u3001\u5f00\u6e90\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nDrupal 8.2.8\u4e4b\u524d\u76848\u7248\u672c\u548c8.3.1\u4e4b\u524d\u76848.3\u7248\u672c\u4e2d\u7684RESTful Web Services\u6a21\u5757\u5b58\u5728\u6743\u9650\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u7528\u6237\u5e10\u6237\u5e76\u7ed5\u8fc7\u8bbf\u95ee\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Drupal RESTful Web Services\u6a21\u5757\u6743\u9650\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Drupal Drupal 8\u003c\uff0c8.2.8",
      "Drupal Drupal 8.3\uff0c\u003c8.3.1"
    ]
  },
  "referenceLink": "https://www.drupal.org/SA-CORE-2017-002\r\nhttp://www.securityfocus.com/bid/97941",
  "serverity": "\u4e2d",
  "submitTime": "2017-04-21",
  "title": "Drupal Core\u6743\u9650\u7ed5\u8fc7\u6f0f\u6d1e"
}

FKIE_CVE-2017-6919

Vulnerability from fkie_nvd - Published: 2017-04-20 02:59 - Updated: 2025-04-20 01:37

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

References

URL	Tags
mlhess@drupal.org	http://www.securityfocus.com/bid/97941	Third Party Advisory, VDB Entry
mlhess@drupal.org	http://www.securitytracker.com/id/1038371
mlhess@drupal.org	https://www.drupal.org/SA-CORE-2017-002	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/97941	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1038371
af854a3a-2127-422b-91ae-364da2661108	https://www.drupal.org/SA-CORE-2017-002	Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.0
drupal	drupal	8.0.1
drupal	drupal	8.0.2
drupal	drupal	8.0.3
drupal	drupal	8.0.4
drupal	drupal	8.0.5
drupal	drupal	8.0.6
drupal	drupal	8.1.0
drupal	drupal	8.1.0
drupal	drupal	8.1.0
drupal	drupal	8.1.0
drupal	drupal	8.1.1
drupal	drupal	8.1.2
drupal	drupal	8.1.3
drupal	drupal	8.1.4
drupal	drupal	8.1.5
drupal	drupal	8.1.6
drupal	drupal	8.1.7
drupal	drupal	8.1.8
drupal	drupal	8.1.9
drupal	drupal	8.1.10
drupal	drupal	8.2.0
drupal	drupal	8.2.0
drupal	drupal	8.2.0
drupal	drupal	8.2.0
drupal	drupal	8.2.0
drupal	drupal	8.2.0
drupal	drupal	8.2.1
drupal	drupal	8.2.2
drupal	drupal	8.2.3
drupal	drupal	8.2.4
drupal	drupal	8.2.5
drupal	drupal	8.2.6
drupal	drupal	8.2.7
drupal	drupal	8.3.0
drupal	drupal	8.3.0
drupal	drupal	8.3.0
drupal	drupal	8.3.0
drupal	drupal	8.3.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C20DAD7-13A7-40F7-B6E0-965DB4E14508",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha10:*:*:*:*:*:*",
              "matchCriteriaId": "144694E6-3287-4F4D-A687-7F495133DBA2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha11:*:*:*:*:*:*",
              "matchCriteriaId": "581D686B-1061-4271-BEF4-17A429BD666A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha12:*:*:*:*:*:*",
              "matchCriteriaId": "E3E45AA6-5FAF-4C63-91F5-0765CE60191A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha13:*:*:*:*:*:*",
              "matchCriteriaId": "FE5D81CF-AE7B-4A9C-AD8F-9A19D2AC35DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha14:*:*:*:*:*:*",
              "matchCriteriaId": "A27535A5-7C4F-4548-A4B8-5FFBD58361D7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha15:*:*:*:*:*:*",
              "matchCriteriaId": "17BC6508-3518-4BB5-B29F-4E6CB6DE9D44",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha2:*:*:*:*:*:*",
              "matchCriteriaId": "8CBB5620-5847-443F-8356-B66EE93A3779",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha3:*:*:*:*:*:*",
              "matchCriteriaId": "3E81260D-E0D2-4FD2-AAED-99945404EB00",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha4:*:*:*:*:*:*",
              "matchCriteriaId": "5A7D34E6-76E0-4BCB-A4C8-9401C7331EF4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha5:*:*:*:*:*:*",
              "matchCriteriaId": "201E2EA9-B811-4BB2-867A-6F12DC472911",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha6:*:*:*:*:*:*",
              "matchCriteriaId": "C957B189-10C2-4D42-B5B9-03F7DE287C8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha7:*:*:*:*:*:*",
              "matchCriteriaId": "A7E21838-CDEC-41B2-AE40-C78DE8984B6F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha8:*:*:*:*:*:*",
              "matchCriteriaId": "639F0284-85D1-40B0-B337-77632E7A664B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:alpha9:*:*:*:*:*:*",
              "matchCriteriaId": "5F4B611A-3628-41EA-878D-BF9D6C34AA83",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "856E46E5-1BF3-42F4-AFCB-81275B1EF265",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta10:*:*:*:*:*:*",
              "matchCriteriaId": "B351F769-598F-4E3E-99EA-94A5516995A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta11:*:*:*:*:*:*",
              "matchCriteriaId": "220900E6-5859-4CA9-831E-3FF3C128F060",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta12:*:*:*:*:*:*",
              "matchCriteriaId": "0D55D51E-DE2D-469C-9F9C-F312A02EE921",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta13:*:*:*:*:*:*",
              "matchCriteriaId": "259B5FE7-2808-4F61-B98C-73ECC7F9503C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta14:*:*:*:*:*:*",
              "matchCriteriaId": "BA263BE6-2088-4E18-914B-96CFAA0093E0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta15:*:*:*:*:*:*",
              "matchCriteriaId": "906AED87-8C5C-4214-B5AD-43E5573E357A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta16:*:*:*:*:*:*",
              "matchCriteriaId": "E150FDA8-5271-465C-8DE0-F44E9FC81E90",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "4E036D4F-BD94-4F77-883C-165B3F0802C0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "7A7068F8-810D-4720-9E0E-06DB1DD366ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "443183F6-9EF5-41AE-8AD0-B304BBF1670A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta6:*:*:*:*:*:*",
              "matchCriteriaId": "58C5EF43-E24F-4BDB-9496-16DE4EEF3E67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta7:*:*:*:*:*:*",
              "matchCriteriaId": "B00B494B-736A-47A7-ACF3-81368C033086",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:beta9:*:*:*:*:*:*",
              "matchCriteriaId": "E275F22B-7A46-4107-BE6F-6C4D7EAA46FC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "63530139-7EF2-4210-9870-B06175ECBC58",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "ED085089-51D6-4E5C-96E8-CC5C7C55CC97",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "36FC67CE-9C45-4842-81AF-EEAE557D70D8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "5FE6AC83-B248-4491-A320-836C65E64D6A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "99D7F3C7-3EC6-48D2-A8D5-1F987FD74A20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "434D4D80-44C0-4278-A09B-005A599F4658",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "2CF1BC91-4A24-40FC-8EEC-E4FAD624C2CD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "43067661-B562-41BC-B272-8A79075291B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA9EF375-AE7C-4900-A992-C635228889E4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "53FA0C7F-000A-4CB4-86E3-DEC0C9DCA1BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E39B2B71-C1B8-4A16-88FE-D691CC3C9BE8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "535BC461-E9B1-4124-8125-1D9F91CF4F68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "06F63C7F-CE02-428D-90CD-05B726C0026D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "F18278D5-A30B-4624-AC64-CA39F92EB8C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B3F72CAF-2BCA-454D-B8AC-951EC566A965",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E0C7CB5D-CE55-4628-957D-3D2C5EE2353B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9E1FBB4-D63F-4AA0-ADE3-70527F4D84A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D2D1BF3-879B-44C5-B3A0-2E91B27BFF29",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "D2BB7835-2BFD-4182-B112-7E8A9FF2449C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "80CE2090-A5AF-47B8-BB7D-727FFF093413",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "8B28527E-92CB-4171-8EE3-9187C3F44EC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "3CB85396-4D94-4752-A134-A1644C707777",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6802D01-6220-4EBE-B267-10DC14E6D186",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.1.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAD4EC47-7DD8-443B-8821-DFAE03FE2FD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA084D8B-FEFC-41D5-A384-1DCB297CC1A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "5F5756FE-158A-4194-9E5E-EA918C4A3D1E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "F344F3CE-C45E-4C3A-9F48-DAA0F2A49137",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "45C7BA91-93C2-4615-8A4D-11702FF5A155",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "615DED7F-691F-4EF8-BE82-6E51B4971BFC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "467F335F-6FA1-413F-995F-29136658D969",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BABC38A1-0034-4CDE-B580-8026D6E0FE39",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "EFA63C78-B234-4EBA-99A2-070213D1DA19",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "997EF82A-B6C0-403A-BA58-E174FF2D981F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "FAE56E4F-47D3-41F4-951E-3E4BBE74B6D9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "8601673A-8FF8-4430-BB24-038443E1CED8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "AFD82372-D143-4AE7-8FE0-40FFD8F3E153",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.2.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "BCA00E55-32EB-41D7-B6FB-756738E4F9F5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FEE90095-47A7-425E-8D9E-20D974647813",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.3.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "75FFBFC9-8D65-40E5-B6D5-53A945247518",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.3.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "4E1A0582-A538-4FB7-A358-52C79266B383",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.3.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "5B740914-9270-4FF5-93F6-99A51FF9C012",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:8.3.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "8D1FDCC9-ABC7-442D-8D84-82BEFD4D380D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests."
    },
    {
      "lang": "es",
      "value": "Drupal 8 en versiones anteriores a 8.2.8 y 8.3 en versiones anteriores a 8.3.1 permite elusi\u00f3n de acceso cr\u00edtica por usuarios autenticados si el m\u00f3dulo RESTful Web Services (resto) est\u00e1 habilitado y el sitio permite solicitudes PATCH."
    }
  ],
  "id": "CVE-2017-6919",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-04-20T02:59:00.143",
  "references": [
    {
      "source": "mlhess@drupal.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/97941"
    },
    {
      "source": "mlhess@drupal.org",
      "url": "http://www.securitytracker.com/id/1038371"
    },
    {
      "source": "mlhess@drupal.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.drupal.org/SA-CORE-2017-002"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/97941"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1038371"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.drupal.org/SA-CORE-2017-002"
    }
  ],
  "sourceIdentifier": "mlhess@drupal.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-6HPJ-9XJ7-2JXX

Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2024-04-23 22:34

Summary

Drupal access control bypass vulnerability

Details

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

Severity ?

7.5 (High)


                  
                    CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.3.0"
            },
            {
              "fixed": "8.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.3.0"
            },
            {
              "fixed": "8.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-6919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T22:34:34Z",
    "nvd_published_at": "2017-04-20T02:59:00Z",
    "severity": "HIGH"
  },
  "details": "Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.",
  "id": "GHSA-6hpj-9xj7-2jxx",
  "modified": "2024-04-23T22:34:34Z",
  "published": "2022-05-13T01:46:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6919"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6919.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6919.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drupal/core"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/SA-2017-002"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/SA-CORE-2017-002"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97941"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038371"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Drupal access control bypass vulnerability"
}

CERTFR-2017-AVI-124

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été corrigée dans Drupal Core. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Drupal	Drupal	Drupal Core versions 8.2.x versions antérieures à 8.2.8
	Drupal	Drupal	Drupal Core versions 8.3.x versions antérieures à 8.3.1

References

Title

Publication Time

Tags

Bulletin de sécurité Drupal SA-CORE-2017-002 du 19 avril 2017	None	vendor-advisory
Bulletin de sécurité Drupal SA-CORE-2017-002 du 19 avril 2017	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal Core versions 8.2.x versions ant\u00e9rieures \u00e0 8.2.8",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal Core versions 8.3.x versions ant\u00e9rieures \u00e0 8.3.1",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2017-6919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2017-6919"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2017-002 du 19 avril    2017",
      "url": "https://www.drupal.org/SA-CORE-2017-002"
    }
  ],
  "reference": "CERTFR-2017-AVI-124",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2017-04-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 corrig\u00e9e dans \u003cspan class=\"textit\"\u003eDrupal\nCore\u003c/span\u003e. Elle permet \u00e0 un attaquant de provoquer un contournement de\nla politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal Core",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2017-002 du 19 avril 2017",
      "url": null
    }
  ]
}

CERTFR-2017-AVI-124

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été corrigée dans Drupal Core. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Drupal	Drupal	Drupal Core versions 8.2.x versions antérieures à 8.2.8
	Drupal	Drupal	Drupal Core versions 8.3.x versions antérieures à 8.3.1

References

Title

Publication Time

Tags

Bulletin de sécurité Drupal SA-CORE-2017-002 du 19 avril 2017	None	vendor-advisory
Bulletin de sécurité Drupal SA-CORE-2017-002 du 19 avril 2017	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal Core versions 8.2.x versions ant\u00e9rieures \u00e0 8.2.8",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal Core versions 8.3.x versions ant\u00e9rieures \u00e0 8.3.1",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2017-6919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2017-6919"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2017-002 du 19 avril    2017",
      "url": "https://www.drupal.org/SA-CORE-2017-002"
    }
  ],
  "reference": "CERTFR-2017-AVI-124",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2017-04-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 corrig\u00e9e dans \u003cspan class=\"textit\"\u003eDrupal\nCore\u003c/span\u003e. Elle permet \u00e0 un attaquant de provoquer un contournement de\nla politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Drupal Core",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2017-002 du 19 avril 2017",
      "url": null
    }
  ]
}

GSD-2017-6919

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

Aliases

CVE-2017-6919

Aliases

CVE-2017-6919

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-6919",
    "description": "Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.",
    "id": "GSD-2017-6919"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-6919"
      ],
      "details": "Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.",
      "id": "GSD-2017-6919",
      "modified": "2023-12-13T01:21:10.231572Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@drupal.org",
        "ID": "CVE-2017-6919",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Drupal",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Drupal"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "access bypass"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "97941",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/97941"
          },
          {
            "name": "https://www.drupal.org/SA-CORE-2017-002",
            "refsource": "CONFIRM",
            "url": "https://www.drupal.org/SA-CORE-2017-002"
          },
          {
            "name": "1038371",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1038371"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=8.0.0-alpha0,\u003c8.2.8||\u003e=8.3.0-alpha0,\u003c8.3.1",
          "affected_versions": "All versions starting from 8.0.0-alpha0 before 8.2.8, all versions starting from 8.3.0-alpha0 before 8.3.1",
          "credit": "Samuel Mortenson",
          "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2019-10-02",
          "description": "This is a critical access bypass vulnerability in Drupal.",
          "fixed_versions": [
            "8.2.8",
            "8.3.1"
          ],
          "identifier": "CVE-2017-6919",
          "identifiers": [
            "CVE-2017-6919"
          ],
          "not_impacted": "All versions before 8.0.0-alpha0, all versions starting from 8.2.8 before 8.3.0-alpha0, all versions starting from 8.3.1",
          "package_slug": "packagist/drupal/core",
          "pubdate": "2017-04-19",
          "solution": "Upgrade to versions 8.2.8, 8.3.1 or above.",
          "title": "Access Bypass",
          "urls": [
            "https://groups.drupal.org/node/516645",
            "https://www.drupal.org/SA-CORE-2017-002"
          ],
          "uuid": "06ca555b-a274-4a6e-a19d-3ee1e00ef877"
        },
        {
          "affected_range": "\u003e=8.0.0,\u003c=8.0.6||\u003e=8.1.0,\u003c=8.1.10||\u003e=8.2.0,\u003c=8.2.7||=8.3.0",
          "affected_versions": "All versions starting from 8.0.0 up to 8.0.6, all versions starting from 8.1.0 up to 8.1.10, all versions starting from 8.2.0 up to 8.2.7, version 8.3.0",
          "credit": "Samuel Mortenson",
          "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2019-10-03",
          "description": "Drupal allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.",
          "fixed_versions": [
            "8.2.8",
            "8.3.1"
          ],
          "identifier": "CVE-2017-6919",
          "identifiers": [
            "CVE-2017-6919"
          ],
          "not_impacted": "All versions before 8.0.0, all versions after 8.0.6 before 8.1.0, all versions after 8.1.10 before 8.2.0, all versions after 8.2.7 before 8.3.0, all versions after 8.3.0",
          "package_slug": "packagist/drupal/drupal",
          "pubdate": "2017-04-20",
          "solution": "Upgrade to versions 8.2.8, 8.3.1 or above.",
          "title": "Access Bypass",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-6919",
            "http://www.securityfocus.com/bid/97941",
            "https://www.drupal.org/SA-CORE-2017-002",
            "https://groups.drupal.org/node/516645"
          ],
          "uuid": "0fa0a6f1-309d-43de-877e-1e9ea3c03474"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.3.0:alpha1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta10:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:rc4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.0:beta2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.0:beta3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha10:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha11:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta11:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta12:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta6:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.3.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha12:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha13:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha6:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta13:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta14:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta9:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.3.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.3.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha14:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha15:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha8:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:alpha9:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta15:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:beta16:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.0:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.0.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.1.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.0:beta2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:8.2.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@drupal.org",
          "ID": "CVE-2017-6919"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.drupal.org/SA-CORE-2017-002",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://www.drupal.org/SA-CORE-2017-002"
            },
            {
              "name": "97941",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/97941"
            },
            {
              "name": "1038371",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id/1038371"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 1.6,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-10-03T00:03Z",
      "publishedDate": "2017-04-20T02:59Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-6919 (GCVE-0-2017-6919)

CNVD-2017-05283

FKIE_CVE-2017-6919

GHSA-6HPJ-9XJ7-2JXX

CERTFR-2017-AVI-124

Solution

CERTFR-2017-AVI-124

Solution

GSD-2017-6919

Tags

Sightings

Nomenclature