CVE-2017-6919
Drupal access control bypass vulnerability
7.5
HIGH
CVSS 3.1
EPSS 0.60%
Description
Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.
How to fix CVE-2017-6919
To remediate CVE-2017-6919, upgrade the affected package to a fixed version below.
- Packagist/drupal/core—upgrade to 8.2.8 or later
- —upgrade to 8.2.8 or later
Is CVE-2017-6919 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 8.0, < 8.2.8
- >= 8.0, < 8.2.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |