==================================================================== CERT-Renater Note d'Information No. 2017/VULN124 _____________________________________________________________________ DATE : 21/04/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Drupal Core versions 8.x prior to 8.2.8, 8.3.1. ===================================================================== https://www.drupal.org/SA-CORE-2017-002 ____________________________________________________________________ Drupal Core - Critical - Access Bypass - SA-CORE-2017-002 Posted by Drupal Security Team on 19 Apr 2017 at 17:13 UTC Advisory ID: DRUPAL-SA-CORE-2017-002 Project: Drupal core Version: 8.x Date: 2017-April-19 CVEID: CVE-2017-6919 Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default Vulnerability: Access bypass Description This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met: The site has the RESTful Web Services (rest) module enabled. The site allows PATCH requests. An attacker can get or register a user account on the site. While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely. CVE identifier(s) issued CVE-2017-6919 Versions affected Drupal 8 prior to 8.2.8 and 8.3.1. Drupal 7.x is not affected. Solution If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8. If the site is running Drupal 8.3.0, upgrade to 8.3.1. Also see the Drupal core project page. Reported by Samuel Mortenson Fixed by Alex Pott of the Drupal Security Team xjm of the Drupal Security Team Lee Rowlands of the Drupal Security Team Wim Leers Sascha Grossenbacher Daniel Wehner Tobias Stöckler Nathaniel Catchpole of the Drupal Security Team Coordinated by The Drupal Security team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================