2017-04-20 04:59:00 2019-10-03 02:03:26

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

Vector

NETWORK

Complexity

MEDIUM

Authentication

SINGLE_INSTANCE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL
Drupal Drupal 8.2.0 Beta2 (not an official CPE) Drupal Drupal 8.2.0 Beta1 (not an official CPE) Drupal Drupal 8.2.0 (not an official CPE) Drupal Drupal 8.1.10 (not an official CPE) Drupal Drupal 8.1.9 (not an official CPE) Drupal Drupal 8.1.8 (not an official CPE) Drupal Drupal 8.1.7 (not an official CPE) Drupal Drupal 8.1.6 (not an official CPE) Drupal Drupal 8.1.5 (not an official CPE) Drupal Drupal 8.1.4 (not an official CPE) Drupal Drupal 8.1.3 (not an official CPE) Drupal Drupal 8.1.2 (not an official CPE) Drupal Drupal 8.1.1 (not an official CPE) Drupal Drupal 8.1.0 Rc1 (not an official CPE) Drupal Drupal 8.1.0 Beta2 (not an official CPE) Drupal Drupal 8.1.0 Beta1 (not an official CPE) Drupal Drupal 8.1.0 (not an official CPE) Drupal Drupal 8.0.6 (not an official CPE) Drupal Drupal 8.0.5 (not an official CPE) Drupal Drupal 8.0.4 (not an official CPE) Drupal Drupal 8.0.3 (not an official CPE) Drupal Drupal 8.0.2 (not an official CPE) Drupal Drupal 8.0.1 (not an official CPE) Drupal Drupal 8.0.0 Rc4 (not an official CPE) Drupal Drupal 8.0.0 Rc3 (not an official CPE) Drupal Drupal 8.0.0 Rc2 (not an official CPE) Drupal Drupal 8.0.0 Rc1 (not an official CPE) Drupal Drupal 8.0.0 Beta9 (not an official CPE) Drupal Drupal 8.0.0 Beta7 (not an official CPE) Drupal Drupal 8.0.0 Beta6 (not an official CPE) Drupal Drupal 8.0.0 Beta4 (not an official CPE) Drupal Drupal 8.0.0 Beta3 (not an official CPE) Drupal Drupal 8.0.0 Beta2 (not an official CPE) Drupal Drupal 8.0.0 Beta16 (not an official CPE) Drupal Drupal 8.0.0 Beta15 (not an official CPE) Drupal Drupal 8.0.0 Beta14 (not an official CPE) Drupal Drupal 8.0.0 Beta13 (not an official CPE) Drupal Drupal 8.0.0 Beta12 (not an official CPE) Drupal Drupal 8.0.0 Beta11 (not an official CPE) Drupal Drupal 8.0.0 Beta10 (not an official CPE) Drupal Drupal 8.0.0 Beta1 (not an official CPE) Drupal Drupal 8.0.0 Alpha9 (not an official CPE) Drupal Drupal 8.0.0 Alpha8 (not an official CPE) Drupal Drupal 8.0.0 Alpha7 (not an official CPE) Drupal Drupal 8.0.0 Alpha6 (not an official CPE) Drupal Drupal 8.0.0 Alpha5 (not an official CPE) Drupal Drupal 8.0.0 Alpha4 (not an official CPE) Drupal Drupal 8.0.0 Alpha3 (not an official CPE) Drupal Drupal 8.0.0 Alpha2 (not an official CPE) Drupal Drupal 8.0.0 Alpha15 (not an official CPE) Drupal Drupal 8.0.0 Alpha14 (not an official CPE) Drupal Drupal 8.0.0 Alpha13 (not an official CPE) Drupal Drupal 8.0.0 Alpha12 (not an official CPE) Drupal Drupal 8.0.0 Alpha11 (not an official CPE) Drupal Drupal 8.0.0 Alpha10 (not an official CPE) Drupal Drupal 8.0.0 (not an official CPE) Drupal Drupal 8.2.0 Beta3 (not an official CPE) Drupal Drupal 8.2.0 Rc1 (not an official CPE) Drupal Drupal 8.2.0 Rc2 (not an official CPE) Drupal Drupal 8.2.1 (not an official CPE) Drupal Drupal 8.2.2 (not an official CPE) Drupal Drupal 8.2.3 (not an official CPE) Drupal Drupal 8.2.4 (not an official CPE) Drupal Drupal 8.2.5 (not an official CPE) Drupal Drupal 8.2.6 (not an official CPE) Drupal Drupal 8.2.7 (not an official CPE) Drupal Drupal 8.3.0 (not an official CPE) Drupal Drupal 8.3.0 Alpha1 (not an official CPE) Drupal Drupal 8.3.0 Beta1 (not an official CPE) Drupal Drupal 8.3.0 Rc1 (not an official CPE) Drupal Drupal 8.3.0 Rc2 (not an official CPE)
Advisory Patch Confirmed Link
https://www.drupal.org/SA-CORE-2017-002
1038371
97941