Summary: | <www-apps/drupal-{7.58,8.4.6,8.5.1}: Remote Code Execution (SA-CORE-2018-002) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.drupal.org/sa-core-2018-002 | ||
Whiteboard: | ~1 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2018-03-28 14:48:19 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=7a9178b3c9af6525215548fa76cf503f31bddaf3 commit 7a9178b3c9af6525215548fa76cf503f31bddaf3 Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2018-03-28 19:27:05 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2018-03-28 19:27:05 +0000 www-apps/drupal: Security releases to address PSA-2018-001 (7.58, 8.4.6 and 8.5.1). Bug: https://bugs.gentoo.org/651822 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-apps/drupal/{drupal-7.57.ebuild => drupal-7.58.ebuild} | 0 www-apps/drupal/{drupal-8.4.5.ebuild => drupal-8.4.6.ebuild} | 0 www-apps/drupal/{drupal-8.5.0.ebuild => drupal-8.5.1.ebuild} | 0 3 files changed, 0 insertions(+), 0 deletions(-)} The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07ad56cacfc2e859666544708d1ffd80f0a84cea commit 07ad56cacfc2e859666544708d1ffd80f0a84cea Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2018-03-28 19:37:33 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2018-03-28 19:37:33 +0000 www-apps/drupal: Security releases to address PSA-2018-001 (7.58, 8.4.6 and 8.5.1). Bug: https://bugs.gentoo.org/651822 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> www-apps/drupal/Manifest | 5 +- .../{drupal-7.57.ebuild => drupal-7.58.ebuild} | 0 .../{drupal-8.4.5.ebuild => drupal-8.4.6.ebuild} | 0 www-apps/drupal/drupal-8.5.1.ebuild | 86 ++++++++++++++++++++++ 4 files changed, 89 insertions(+), 2 deletions(-)} A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. How dangerous is this issue? Drupal security advisories include a risk score based on the NIST Common Misuse Scoring System. This helps give an objective sense of the risk of different issues. The risk of SA-CORE-2018-002 is scored 21/25 ( Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default. In the long form this means: How difficult is it for the attacker to leverage the vulnerability? None (user visits page). What privilege level is required for an exploit to be successful? None (all/anonymous users). Does this vulnerability cause non-public data to be accessible? All non-public data is accessible. Can this exploit allow system data (or data handled by the system) to be compromised? All data can be modified or deleted. Does a known exploit exist? Theoretical or white-hat (no public exploit code or documentation on development exists) What percentage of users are affected? Default or common module configurations are exploitable, but a config change can disable the exploit. https://groups.drupal.org/security/faq-2018-002 Package has no affected stable ebuild. Repository is clean. All done. |