CVE-2022-25274
published 2023-04-26CVE-2022-25274: Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting…
PriorityP430medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.42%
33.9th percentile
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 9.3 < 9.3.12 | 9.3.12 |
| drupal | core | >= 9.3.0 < 9.3.12 | 9.3.12 |
| drupal | drupal | >= 9.3.0 < 9.3.12 | 9.3.12 |
| drupal | drupal_core | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
osv5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Access bypass in Drupal core
ghsa·2023-04-26
CVE-2022-25274 [MEDIUM] CWE-863 Access bypass in Drupal core
Access bypass in Drupal core
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.
All releases prior to Drupal 9.3 (including Drupal 7) are not affected.
OSV
Access bypass in Drupal core
osv·2023-04-26
CVE-2022-25274 [MEDIUM] Access bypass in Drupal core
Access bypass in Drupal core
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.
All releases prior to Drupal 9.3 (including Drupal 7) are not affected.
OSV
CVE-2022-25274: Drupal 9
osv·2023-04-26·CVSS 5.4
CVE-2022-25274 [MEDIUM] CVE-2022-25274: Drupal 9
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.
OSV
CVE-2022-25274: Drupal 9
osv·2022-04-20
CVE-2022-25274 CVE-2022-25274: Drupal 9
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.
This vulnerability only affects sites using Drupal's revision system.
This advisory is not covered by [Drupal Steward](/steward).
Drupal
Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009
vendor_drupal·2022-04-20
CVE-2022-25274 [MEDIUM] Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009
Title: Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009
Vulnerability Type: Access bypass
Description: Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system. This advisory is not covered by Drupal Steward .
Solution: Install the latest version: If you are using Drupal 9.3, update to Drupal 9.3.12 . All releases prior to Drupal 9.3 (including Drupal 7) are not affected.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-04-26
Published