CVE-2017-6919

high-risk
Published 2017-04-20

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

Do I need to act?

-
0.60% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / HIGH complexity

Affected Products (20)

Affected Vendors

Drupal

References (6)

Third Party Advisory http://www.securityfocus.com/bid/97941
http://www.securitytracker.com/id/1038371
Patch https://www.drupal.org/SA-CORE-2017-002
Third Party Advisory http://www.securityfocus.com/bid/97941
http://www.securitytracker.com/id/1038371
Patch https://www.drupal.org/SA-CORE-2017-002
52
/ 100
high-risk
Severity 22/34 · High
Exploitability 2/34 · Minimal
Exposure 28/34 · Critical