GHSA-fmqh-2j2x-vgp3

Source

https://github.com/advisories/GHSA-fmqh-2j2x-vgp3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fmqh-2j2x-vgp3/GHSA-fmqh-2j2x-vgp3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fmqh-2j2x-vgp3

Aliases

CVE-2016-7572

Published

2022-05-17T03:47:57Z

Modified

2024-12-06T05:33:57.404844Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Drupal Unprivileged access to config export

Details

The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.

Database specific

{
    "nvd_published_at": "2016-10-03T18:59:00Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T22:17:36Z"
}

References

Affected packages

Packagist / drupal/core

Package

Name: drupal/core
Purl: pkg:composer/drupal/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0

Fixed

8.1.10

Affected versions

8.*

8.0.0-beta6

8.0.0-beta7

8.0.0-beta8

8.0.0-beta9

8.0.0-beta10

8.0.0-beta11

8.0.0-beta12

8.0.0-beta13

8.0.0-beta14

8.0.0-beta15

8.0.0-beta16

8.0.0-rc1

8.0.0-rc2

8.0.0-rc3

8.0.0-rc4

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.1.0-beta1

8.1.0-beta2

8.1.0-rc1

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

Packagist / drupal/drupal