View online: https://www.drupal.org/SA-CORE-2017-002

* Advisory ID: DRUPAL-SA-CORE-2017-002
* Project: Drupal core [1]
* Version: 8.x
* Date: 2017-April-19
* CVEID: CVE-2017-6919
* Security risk: 17/25 ( Critical)
AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass

——– DESCRIPTION
———————————————————

This is a critical access bypass vulnerability. A site is only affected by
this is the following conditions are met:

* The site has the RESTful Web Services (rest) module enabled.
* The site allows PATCH requests.
* An attacker can get or register a user account on the site.

While we don’t normally provide security releases for unsupported minor
releases [3], given the potential severity of this issue, we have also
provided an 8.2.x release to ensure that sites that have not had a chance to
update to 8.3.0 can update safely.

——– CVE IDENTIFIER(S) ISSUED
——————————————–

* /A CVE identifier [4] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./

——– VERSIONS AFFECTED
—————————————————

* Drupal 8 prior to 8.2.8 and 8.3.1.
* Drupal 7.x is not affected.

——– SOLUTION
————————————————————

* If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8. [5]
* If the site is running Drupal 8.3.0, upgrade to 8.3.1. [6]

Also see the Drupal core [7] project page.

——– REPORTED BY
———————————————————

* Samuel Mortenson [8]

——– FIXED BY
————————————————————

* Alex Pott [9] of the Drupal Security Team
* xjm [10] of the Drupal Security Team
* Lee Rowlands [11] of the Drupal Security Team
* Wim Leers [12]
* Sascha Grossenbacher [13]
* Daniel Wehner [14]
* Tobias Stöckler [15]
* Nathaniel Catchpole [16] of the Drupal Security Team

——– COORDINATED BY
——————————————————

* The Drupal Security team

——– CONTACT AND MORE INFORMATION
—————————————-

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [17].

Learn more about the Drupal Security team and their policies [18], writing
secure code for Drupal [19], and securing your site [20].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [21]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/core/release-cycle-overview
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/drupal/releases/8.2.8
[6] https://www.drupal.org/project/drupal/releases/8.3.1
[7] https://www.drupal.org/project/drupal
[8] https://www.drupal.org/u/samuelmortenson
[9] https://www.drupal.org/u/alexpott
[10] https://www.drupal.org/u/xjm
[11] https://www.drupal.org/u/larowlan
[12] https://www.drupal.org/u/wim-leers
[13] https://www.drupal.org/u/Berdir
[14] https://www.drupal.org/u/dawehner
[15] https://www.drupal.org/u/tstoeckler
[16] https://www.drupal.org/u/catch
[17] https://www.drupal.org/contact
[18] https://www.drupal.org/security-team
[19] https://www.drupal.org/writing-secure-code
[20] https://www.drupal.org/security/secure-configuration
[21] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news