CVE-2022-25274

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-25274

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25274.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-25274

Aliases

Related

UBUNTU-CVE-2022-25274

Published

2023-04-26T14:15:09Z

Modified

2024-09-03T04:13:05.149433Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.

References

https://www.drupal.org/sa-core-2022-009

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

698ee686c23de8c97d7e0601cf745b220d54f4e1

Fixed

aa750f98c476ab867f6c6a14bbafcd2e98814512

Affected versions

9.*

9.3.0

9.3.10

9.3.11

9.3.2

9.3.3

9.3.4

9.3.5

9.3.6

9.3.7

9.3.8

9.3.9