1443831 – (CVE-2017-6919) CVE-2017-6919 drupal8: Access bypass

Bug 1443831 (CVE-2017-6919) - CVE-2017-6919 drupal8: Access bypass

Summary: CVE-2017-6919 drupal8: Access bypass

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-6919
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1443832
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-20 06:37 UTC by Andrej Nemec
Modified:	2021-02-17 02:15 UTC (History)
CC List:	2 users (show)
Fixed In Version:	drupal 8.3.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-05-11 07:09:14 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2017-04-20 06:37:34 UTC

Drupal 8 before before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

External References:

https://www.drupal.org/SA-CORE-2017-002

Comment 1 Andrej Nemec 2017-04-20 06:38:11 UTC

Created drupal8 tracking bugs for this issue:

Affects: fedora-all [bug 1443832]

Comment 2 Shawn Iwinski 2017-05-10 21:31:48 UTC

All dependent tickets have been closed.

Comment 3 Andrej Nemec 2017-05-11 07:09:14 UTC

(In reply to Shawn Iwinski from comment #2)
> All dependent tickets have been closed.

Thanks, closing this bug as well.

Note You need to log in before you can comment on or make changes to this bug.