CVE-2022-25274
Access bypass in Drupal core
5.4
MEDIUM
CVSS 3.1
EPSS 0.13%
Description
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.
How to fix CVE-2022-25274
To remediate CVE-2022-25274, upgrade the affected package to a fixed version below.
- —upgrade to 9.3.12 or later
- —upgrade to 9.3.12 or later
- —upgrade to 9.3.12 or later
Is CVE-2022-25274 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 9.3.0, < 9.3.12
- >= 9.3.0, < 9.3.12
- >= 9.3.0, < 9.3.12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |