Bug 2055471 (CVE-2022-25271)

Summary: CVE-2022-25271 drupal: improper input validation found via drupal core api
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, hello, jsmith.fedora, shawn, stickster
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-02 18:49:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2055472, 2055473, 2055474    
Bug Blocks:    

Description Sandipan Roy 2022-02-17 03:55:21 UTC 
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

https://www.drupal.org/sa-core-2022-003
Comment 1 Sandipan Roy 2022-02-17 03:55:56 UTC 
Created drupal7 tracking bugs for this issue:

Affects: epel-all [bug 2055472]
Affects: fedora-all [bug 2055473]


Created drupal8 tracking bugs for this issue:

Affects: fedora-all [bug 2055474]
Comment 2 Product Security DevOps Team 2022-03-02 18:49:51 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.