CVE-2017-6930

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-6930

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6930.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-6930

Aliases

GHSA-3327-jr93-7hq3

Published

2018-03-01T23:29:00Z

Modified

2024-09-03T01:55:23.120504Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hooknodeaccess_records().

References

https://www.drupal.org/sa-core-2018-001

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

abfe77673a5a6194ef13600e05f1ca2c5dd59db8

Fixed

3347ff569787d2e659a8c4b5211ea0c76894aa8a

Affected versions

8.*

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4