| Vulnerability Name: | CVE-2017-6921 (CCN-127567) | ||||||||||||
| Assigned: | 2017-06-21 | ||||||||||||
| Published: | 2017-06-21 | ||||||||||||
| Updated: | 2019-10-09 | ||||||||||||
| Summary: | In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource. | ||||||||||||
| CVSS v3 Severity: | 5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) 5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-20 | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2017-6921 Source: BID Type: Third Party Advisory, VDB Entry 99222 Source: CCN Type: BID-99222 Drupal Core CVE-2017-6921 Security Bypass Vulnerability Source: SECTRACK Type: Third Party Advisory, VDB Entry 1038781 Source: XF Type: UNKNOWN drupal-cve20176921-sec-bypass(127567) Source: CONFIRM Type: Mitigation, Vendor Advisory https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple Source: CCN Type: DRUPAL-SA-CORE-2017-003 Drupal Core - Multiple Vulnerabilities Source: CCN Type: WhiteSource Vulnerability Database CVE-2017-6921 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||