CVE-2017-6377
Low
Low
Medium
High
Critical
CVSS Score
Vulnerability Description
When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
Known Affected Software
7 configuration(s) from 1 vendor(s)
drupal
Version:
8.2.2
CPE:
cpe:2.3:a:drupal:drupal:8.2.2:*:*:*:*:*:*:*
drupal
Version:
8.2.5
CPE:
cpe:2.3:a:drupal:drupal:8.2.5:*:*:*:*:*:*:*
drupal
Version:
8.2.0
CPE:
cpe:2.3:a:drupal:drupal:8.2.0:-:*:*:*:*:*:*
drupal
Version:
8.2.1
CPE:
cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*
drupal
Version:
8.2.3
CPE:
cpe:2.3:a:drupal:drupal:8.2.3:*:*:*:*:*:*:*
drupal
Version:
8.2.4
CPE:
cpe:2.3:a:drupal:drupal:8.2.4:*:*:*:*:*:*:*
drupal
Version:
8.2.6
CPE:
cpe:2.3:a:drupal:drupal:8.2.6:*:*:*:*:*:*:*
This vulnerability affects 7 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
http://www.securityfocus.com/bid/96919mlhess@drupal.org Third Party Advisory VDB Entry
-
http://www.securitytracker.com/id/1038058mlhess@drupal.org
-
https://www.drupal.org/SA-2017-001mlhess@drupal.org Vendor Advisory
-
http://www.securityfocus.com/bid/96919af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory VDB Entry
-
http://www.securitytracker.com/id/1038058af854a3a-2127-422b-91ae-364da2661108
-
https://www.drupal.org/SA-2017-001af854a3a-2127-422b-91ae-364da2661108 Vendor Advisory
Severity Details
out of 10.0
Low
Weakness Type (CWE)
CWE-863
Top 25 #24
Incorrect Authorization
- Description
- The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
- Exploit Likelihood
- High
- Typical Severity
- High
- OWASP Top 10
- A01:2021-Broken Access Control
- Abstraction Level
- Class
Key Information
- Published Date
- March 16, 2017
