All Products
Search

This Product

    [Vulnerability notice] CVE-2017-6923/6924/6925: Multiple high-risk vulnerabilities in Dural

    Document Center

    [Vulnerability notice] CVE-2017-6923/6924/6925: Multiple high-risk vulnerabilities in Dural

    Last Updated: Apr 08, 2018

    Drupal researchers released a security report on August 16, 2017, claiming that several bugs in Drupal 8 have been fixed and security patches have been updated online. According to research, the vulnerabilities affect multiple system components of Drupal 8, including the entity access system, REST API, and some view components.

    See the following for more information about the vulnerability.

    CVE identifier

    CVE-2017-6923, CVE-2017-6924, CVE-2017-6925

    Vulnerability name

    Multiple Dural high-risk vulnerabilities

    Vulnerability rating

    High

    Vulnerability description

    • CVE-2017-6925

      This vulnerability in Drupal 8.3.7 affects entity systems and allows an attacker to view, create, delete, or update entities. However, the vulnerability only affects entity systems that do not have UUID entities and have multiple access restrictions on different versions of the same entity.

    • CVE-2017-6924

      This vulnerability in Drupal 8 allows an attacker to bypass access permissions. When residing in the REST API, any user without access permissions can post comments over REST. Currently, this vulnerability has been evaluated as highly risky because it affects sites that have the RESTful Web Services module and the comment entity REST resource enabled.

    • CVE-2017-6923

      This critical vulnerability in Drupal 8 affects the view components. When creating a view, a user can optionally use Ajax to update the displayed data through filter parameters. The views subsystem/module does not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

    Condition and method of exploitation

    Remote exploitation

    Affected scope

    Drupal core 8.x < 8.3.7

    Drupal 7 core is not affected

    Vulnerability detection

    Check whether any affected version is used.

    How to fix or mitigate

    Drupal 8 users are advised to upgrade to the latest official version.

    Reference

    [1]. http://securityaffairs.co/wordpress/62096/hacking/drupal-8-updates.html

    Free Trial Free Trial