CVE-2017-6925 — Improper Privilege Management in Drupal

CWE-269 — Improper Privilege Management6 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.6%

top 30.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Drupal Core

Timeline

PublishedJan 15

Latest updateMay 13

Description

In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Packagistdrupal/core8.0 — 8.3.7

▶NVDdrupal/drupal8.0.0 — 8.3.7

▶Packagistdrupal/drupal8.0 — 8.3.7

🔴Vulnerability Details

GHSA

Drupal Entity access bypass for entities that do not have UUIDs or have protected revisions↗2022-05-13

▶

OSV

Drupal Entity access bypass for entities that do not have UUIDs or have protected revisions↗2022-05-13

▶

CVEList

CVE-2017-6925: In versions of Drupal 8 core prior to 8↗2019-01-15

▶

💬Community

Bugzilla

CVE-2017-6923 CVE-2017-6924 CVE-2017-6925 drupal8: Multiple Vulnerabilities - SA-CORE-2017-004 [fedora-all]↗2017-08-22

▶

Bugzilla

CVE-2017-6923 CVE-2017-6924 CVE-2017-6925 drupal8: Multiple Vulnerabilities - SA-CORE-2017-004↗2017-08-22

▶