Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.
*Upgrading your existing Drupal 8 sites is strongly recommended.* There
are no new features nor non-security-related bug fixes in this release. See
the 8.2.7 release notes for details on important changes and known issues
affecting this release. Read on for details of the security vulnerabilities
that were fixed in this release.
* Advisory ID: DRUPAL-SA-CORE-2017-001
* Project: Drupal core
* Version: 7.x, 8.x
* Date: 2017-March-15
.. Editor module incorrectly checks access to inline private files - Drupal 8
- Access Bypass - Critical - CVE-2017-6377
When adding a private file via a configured text editor (like CKEditor), the
editor will not correctly check access for the file being attached, resulting
in an access bypass.
.. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross
Site Request Forgery - Moderately Critical - CVE-2017-6379
Some administrative paths did not include protection for CSRF. This would
allow an attacker to disable some blocks on a site. This issue is mitigated
by the fact that users would have to know the block ID.
.. Remote code execution - Drupal 8 - Remote code execution - Moderately
Critical - CVE-2017-6381
A 3rd party development library including with Drupal 8 development
dependencies is vulnerable to remote code execution.
This is mitigated by the default .htaccess protection against PHP execution,
and the fact that Composer development dependencies aren't normal installed.
You might be vulnerable to this if you are running a version of Drupal before
8.2.2. To be sure you aren’t vulnerable, you can remove the
/vendor/phpunit directory from the site root of your production deployments.
Upgrade to Drupal 8.2.7