cve-2017-6930
Vulnerability from cvelistv5
Published
2018-03-01 22:00
Modified
2024-09-16 17:48
Severity ?
EPSS score ?
Summary
In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().
References
| ▼ | URL | Tags | |
|---|---|---|---|
| mlhess@drupal.org | https://www.drupal.org/sa-core-2018-001 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Drupal.org | Drupal Core |
Version: 8.4.x versions before 8.4.5 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:49:01.294Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.drupal.org/sa-core-2018-001"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Drupal Core",
"vendor": "Drupal.org",
"versions": [
{
"status": "affected",
"version": "8.4.x versions before 8.4.5"
}
]
}
],
"datePublic": "2018-02-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records()."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Access bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-02T01:57:01",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.drupal.org/sa-core-2018-001"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@drupal.org",
"DATE_PUBLIC": "2018-02-21T00:00:00",
"ID": "CVE-2017-6930",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Drupal Core",
"version": {
"version_data": [
{
"version_value": "8.4.x versions before 8.4.5"
}
]
}
}
]
},
"vendor_name": "Drupal.org"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records()."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Access bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.drupal.org/sa-core-2018-001",
"refsource": "CONFIRM",
"url": "https://www.drupal.org/sa-core-2018-001"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2017-6930",
"datePublished": "2018-03-01T22:00:00Z",
"dateReserved": "2017-03-16T00:00:00",
"dateUpdated": "2024-09-16T17:48:09.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2017-6930\",\"sourceIdentifier\":\"mlhess@drupal.org\",\"published\":\"2018-03-01T23:29:00.450\",\"lastModified\":\"2019-10-03T00:03:26.223\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().\"},{\"lang\":\"es\",\"value\":\"En las versiones 8.4.x de Drupal anteriores a la 8.4.5, al emplear controles de acceso a nodos con un sitio multiling\u00fce, Drupal marca la versi\u00f3n sin traducir de un nodo como la reserva por defecto para consultas de acceso. Esta reserva se emplea para lenguajes que a\u00fan no cuentan con una versi\u00f3n traducida del nodo creado. Esto puede resultar en una vulnerabilidad de omisi\u00f3n de acceso. El problema se mitiga por el hecho de que solo aplica a sitios que a) emplean el m\u00f3dulo Content Translation y b) emplean un m\u00f3dulo de acceso a nodos como Domain Access que implementa hook_node_access_records().\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":6.8},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.4.0\",\"versionEndExcluding\":\"8.4.5\",\"matchCriteriaId\":\"5C4AF907-5109-48BA-B510-8BC32A82C632\"}]}]}],\"references\":[{\"url\":\"https://www.drupal.org/sa-core-2018-001\",\"source\":\"mlhess@drupal.org\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.