[IT-SecNots] [Security-news] Drupal Core - Critical - Access Bypass - SA-CORE-2017-002

[security-news AT drupal.org]

View online: https://www.drupal.org/SA-CORE-2017-002

  * Advisory ID: DRUPAL-SA-CORE-2017-002
  * Project: Drupal core [1]
  * Version: 8.x
  * Date: 2017-April-19
  * CVEID: CVE-2017-6919
  * Security risk: 17/25 ( Critical)
    AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
  * Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

This is a critical access bypass vulnerability. A site is only affected by
this is the following conditions are met:

  * The site has the RESTful Web Services (rest) module enabled.
  * The site allows PATCH requests.
  * An attacker can get or register a user account on the site.

While we don't normally provide security releases for unsupported minor
releases [3], given the potential severity of this issue, we have also
provided an 8.2.x release to ensure that sites that have not had a chance to
update to 8.3.0 can update safely.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

  * /A CVE identifier [4] will be requested, and added upon issuance, in
    accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

  * Drupal 8 prior to 8.2.8 and 8.3.1.
  * Drupal 7.x is not affected.

-------- SOLUTION
------------------------------------------------------------

  * If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8. [5]
  * If the site is running Drupal 8.3.0, upgrade to 8.3.1. [6]

Also see the Drupal core [7] project page.

-------- REPORTED BY
---------------------------------------------------------

  * Samuel Mortenson [8]

-------- FIXED BY
------------------------------------------------------------

  * Alex Pott [9] of the Drupal Security Team
  * xjm [10] of the Drupal Security Team
  * Lee Rowlands [11] of the Drupal Security Team
  * Wim Leers [12]
  * Sascha Grossenbacher [13]
  * Daniel Wehner [14]
  * Tobias Stöckler [15]
  * Nathaniel Catchpole [16] of the Drupal Security Team

-------- COORDINATED BY
------------------------------------------------------

  * The Drupal Security team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [17].

Learn more about the Drupal Security team and their policies [18], writing
secure code for Drupal [19], and  securing your site [20].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [21]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/core/release-cycle-overview
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/drupal/releases/8.2.8
[6] https://www.drupal.org/project/drupal/releases/8.3.1
[7] https://www.drupal.org/project/drupal
[8] https://www.drupal.org/u/samuelmortenson
[9] https://www.drupal.org/u/alexpott
[10] https://www.drupal.org/u/xjm
[11] https://www.drupal.org/u/larowlan
[12] https://www.drupal.org/u/wim-leers
[13] https://www.drupal.org/u/Berdir
[14] https://www.drupal.org/u/dawehner
[15] https://www.drupal.org/u/tstoeckler
[16] https://www.drupal.org/u/catch
[17] https://www.drupal.org/contact
[18] https://www.drupal.org/security-team
[19] https://www.drupal.org/writing-secure-code
[20] https://www.drupal.org/security/secure-configuration
[21] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news