Blogroll: Drupal Security
I read blogs, as well as write one. The 'blogroll' on this site reproduces some posts from some of the people I enjoy reading. There are currently 1 posts from the blog 'Drupal Security.'
Disclaimer: Reproducing an article here need not necessarily imply agreement or endorsement!
- Advisory ID: DRUPAL-SA-CORE-2017-002
- Project: Drupal core
- Version: 8.x
- Date: 2017-April-19
- CVEID: CVE-2017-6919
- Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default
- Vulnerability: Access bypass
This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:
- The site has the RESTful Web Services (rest) module enabled.
- The site allows PATCH requests.
- An attacker can get or register a user account on the site.
While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
- Drupal 8 prior to 8.2.8 and 8.3.1.
- Drupal 7.x is not affected.
- If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
- If the site is running Drupal 8.3.0, upgrade to 8.3.1.
Also see the Drupal core project page.Reported by
- Alex Pott of the Drupal Security Team
- xjm of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Wim Leers
- Sascha Grossenbacher
- Daniel Wehner
- Tobias Stöckler
- Nathaniel Catchpole of the Drupal Security Team
- The Drupal Security team
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity