github - ghsa-6hpj-9xj7-2jxx

ghsa-6hpj-9xj7-2jxx

Vulnerability from github

Published

2022-05-13 01:46

Modified

2024-04-23 22:34

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Drupal access control bypass vulnerability

Details

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.3.0"
            },
            {
              "fixed": "8.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.3.0"
            },
            {
              "fixed": "8.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-6919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T22:34:34Z",
    "nvd_published_at": "2017-04-20T02:59:00Z",
    "severity": "HIGH"
  },
  "details": "Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.",
  "id": "GHSA-6hpj-9xj7-2jxx",
  "modified": "2024-04-23T22:34:34Z",
  "published": "2022-05-13T01:46:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6919"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6919.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6919.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drupal/core"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/SA-2017-002"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/SA-CORE-2017-002"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97941"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038371"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Drupal access control bypass vulnerability"
}

cve-2017-6919

Vulnerability from cvelistv5

Published

2017-04-20 02:43

Modified

2024-08-05 15:49

Severity ?

Summary

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/97941	vdb-entry, x_refsource_BID
	https://www.drupal.org/SA-CORE-2017-002	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1038371	vdb-entry, x_refsource_SECTRACK

Impacted products

Vendor

Product

Version

▼

n/a

Drupal

Version: Drupal

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T15:49:02.380Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "97941",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97941"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.drupal.org/SA-CORE-2017-002"
          },
          {
            "name": "1038371",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038371"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Drupal",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Drupal"
            }
          ]
        }
      ],
      "datePublic": "2017-04-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "access bypass",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-07-10T09:57:01",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "name": "97941",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97941"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.drupal.org/SA-CORE-2017-002"
        },
        {
          "name": "1038371",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038371"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@drupal.org",
          "ID": "CVE-2017-6919",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Drupal",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Drupal"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "access bypass"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "97941",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97941"
            },
            {
              "name": "https://www.drupal.org/SA-CORE-2017-002",
              "refsource": "CONFIRM",
              "url": "https://www.drupal.org/SA-CORE-2017-002"
            },
            {
              "name": "1038371",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038371"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2017-6919",
    "datePublished": "2017-04-20T02:43:00",
    "dateReserved": "2017-03-16T00:00:00",
    "dateUpdated": "2024-08-05T15:49:02.380Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted