edit-icon download-icon

[Vulnerability notice] CVE-2017-6923/6924/6925: Multiple high-risk vulnerabilities in Dural

Last Updated: Apr 08, 2018

Drupal researchers released a security report on August 16, 2017, claiming that several bugs in Drupal 8 have been fixed and security patches have been updated online. According to research, the vulnerabilities affect multiple system components of Drupal 8, including the entity access system, REST API, and some view components.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-6923, CVE-2017-6924, CVE-2017-6925

Vulnerability name

Multiple Dural high-risk vulnerabilities

Vulnerability rating

High

Vulnerability description

  • CVE-2017-6925

    This vulnerability in Drupal 8.3.7 affects entity systems and allows an attacker to view, create, delete, or update entities. However, the vulnerability only affects entity systems that do not have UUID entities and have multiple access restrictions on different versions of the same entity.

  • CVE-2017-6924

    This vulnerability in Drupal 8 allows an attacker to bypass access permissions. When residing in the REST API, any user without access permissions can post comments over REST. Currently, this vulnerability has been evaluated as highly risky because it affects sites that have the RESTful Web Services module and the comment entity REST resource enabled.

  • CVE-2017-6923

    This critical vulnerability in Drupal 8 affects the view components. When creating a view, a user can optionally use Ajax to update the displayed data through filter parameters. The views subsystem/module does not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

Condition and method of exploitation

Remote exploitation

Affected scope

Drupal core 8.x < 8.3.7

Drupal 7 core is not affected

Vulnerability detection

Check whether any affected version is used.

How to fix or mitigate

Drupal 8 users are advised to upgrade to the latest official version.

Reference

[1]. http://securityaffairs.co/wordpress/62096/hacking/drupal-8-updates.html

Thank you! We've received your feedback.