Vulnerability Details : CVE-2017-6921
In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.
Vulnerability category: Input validation
Products affected by CVE-2017-6921
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-6921
0.35%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-6921
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
N/A
|
NONE | CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N |
0.1
|
N/A
|
Drupal.org | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2017-6921
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-6921
-
http://www.securitytracker.com/id/1038781
Drupal Bugs Let Remote Users Access Certain Uploaded Files and Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/99222
Drupal Core CVE-2017-6921 Security Bypass VulnerabilityVDB Entry;Third Party Advisory
-
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple
Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-003 | Drupal.orgMitigation;Vendor Advisory
Jump to