Drupal Core - Critical - Access Bypass - SA-CORE-2017-002

* Advisory ID: DRUPAL-SA-CORE-2017-002
* Project: Drupal core
* Version: 8.x
* Date: 2017-April-19
* CVEID: CVE-2017-6919
* Security risk: 17/25 ( Critical)
* Vulnerability: Access bypass

DESCRIPTION

This is a critical access bypass vulnerability. A site is only affected by
this is the following conditions are met:

* The site has the RESTful Web Services (rest) module enabled.
* The site allows PATCH requests.
* An attacker can get or register a user account on the site.

While we don't normally provide security releases for unsupported minor
releases, given the potential severity of this issue, we have also
provided an 8.2.x release to ensure that sites that have not had a chance to
update to 8.3.0 can update safely.

VERSIONS AFFECTED

* Drupal 8 prior to 8.2.8 and 8.3.1.
* Drupal 7.x is not affected.

SOLUTION

* If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
* If the site is running Drupal 8.3.0, upgrade to 8.3.1.

Also see the Drupal core project page: https://www.drupal.org/project/drupal

Add new comment