| Summary: | <www-apps/drupal-{8.2.8,8.3.1}: Access Bypass (SA-CORE-2017-002) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Jorge Manuel B. S. Vicetto <jmbsvicetto> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.drupal.org/SA-CORE-2017-002 | ||
| Whiteboard: | ~1 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
Repository is clean, no stable package was affected. All done! Maintainer(s), thank you for your work. |
A critical access bypass was reported for drupal versions <8.2.8 and <8.3.1, as per drupal advisory: DRUPAL-SA-CORE-2017-002. Drupal 7 is *not* affected. From the advisory: This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met: The site has the RESTful Web Services (rest) module enabled. The site allows PATCH requests. An attacker can get or register a user account on the site. Fixed versions are already in the tree and the affected versions were dropped. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86d31afe3bd4ba200886e7791071bc7d63099741