CVE-2017-6919 — Improper Access Control in Drupal Core

CWE-284 — Improper Access Control6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 30.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal

Timeline

PublishedApr 20

Latest updateMay 13

Description

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages4 packages

▶Packagistdrupal/core8.0 — 8.2.8+1

▶Packagistdrupal/drupal8.0 — 8.2.8+1

▶CVEListV5drupal/drupalDrupal

▶NVDdrupal/drupal27 versions+26

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

GHSA

Drupal access control bypass vulnerability↗2022-05-13

▶

OSV

Drupal access control bypass vulnerability↗2022-05-13

▶

CVEList

CVE-2017-6919: Drupal 8 before 8↗2017-04-20

▶

💬Community

Bugzilla

CVE-2017-6919 drupal8: Access bypass [fedora-all]↗2017-04-20

▶

Bugzilla

CVE-2017-6919 drupal8: Access bypass↗2017-04-20

▶