CVE-2012-1635 : The hook_node_access function in the revisioning module 7.x-1.x before 7.x-1.3 for Drupal checks the permissions of the

The hook_node_access function in the revisioning module 7.x-1.x before 7.x-1.3 for Drupal checks the permissions of the current user even when it is called to check permissions of other users, which allows remote attackers to bypass intended access restrictions, as demonstrated when using the XML sitemap module to obtain sensitive information about unpublished content.

Published 2012-08-28 17:55:01

Updated 2012-08-29 04:00:00

Source Red Hat, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2012-1635

Probability of exploitation activity in the next 30 days: 0.17%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 52 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2012-1635

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.4	MEDIUM	AV:N/AC:L/Au:N/C:P/I:P/A:N	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2012-1635

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-1635

https://drupal.org/node/1409268

SA-CONTRIB-2012-009 - Revisioning - Access bypass | Drupal.org
Patch;Vendor Advisory
http://drupal.org/node/1407456

revisioning 7.x-1.3 | Drupal.org
Patch
http://www.openwall.com/lists/oss-security/2012/04/07/1

oss-security - CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)

CVEs referencing this url

Products affected by CVE-2012-1635

Rik De Boer » Revisioning » Version: 7.x-1.0 Update Beta8
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:beta8:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Beta7
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:beta7:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Beta6
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:beta6:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Beta5
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:beta5:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Beta10
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:beta10:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Beta3
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:beta3:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Beta1
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:beta1:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.x
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.x:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.x Update DEV
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.x:dev:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.2
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.2:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.1
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.1:*:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Alpha5
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:alpha5:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Alpha4
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:alpha4:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Alpha3
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:alpha3:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Alpha2
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:alpha2:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Alpha1
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:alpha1:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Beta11
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:beta11:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Beta9
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:beta9:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Beta4
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:beta4:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A
Rik De Boer » Revisioning » Version: 7.x-1.0 Update Beta2
cpe:2.3:a:rik_de_boer:revisioning:7.x-1.0:beta2:*:*:*:*:*:*
Matching versions
When used together with: Drupal » Drupal » Version: N/A

Vulnerability Details : CVE-2012-1635

Exploit prediction scoring system (EPSS) score for CVE-2012-1635

CVSS scores for CVE-2012-1635

CWE ids for CVE-2012-1635

References for CVE-2012-1635

Products affected by CVE-2012-1635