Drupal patches critical access bypass flaw in engine core

Drupal has released security fixes to smooth over a serious access bypass vulnerability, among other bugs.
Written by Charlie Osborne, Contributing Writer

Drupal has issued a security update which fixes a number of critical flaws in the website management platform's core engine.

On Thursday, Drupal, an open-source content management system (CMS) used by thousands to manage the back end of their websites, released the latest version of the firm's software, Drupal 8.3.7, to combat a number of vulnerabilities which could leave users exposed to attack.

According to Drupal's security advisory, multiple vulnerabilities have been discovered in the CMS platform, some of which are deemed critical.

The most severe security flaw, CVE-2017-6925, is an access bypass bug in the Drupal 8 Core engine's entity access system without a Universal Unique Identifier (UUID) which could allow attackers to range freely in the system. Drupal says that should the vulnerability be exploited, attackers are able to view, create, update, or delete entities.

Another serious issue, CVE-2017-6923, is another access bypass vulnerability. The problem occurs as when creating a view in Drupal, you are able to optionally use Ajax to update display data via filter parameters.

However, the view subsystem mobile did not restrict access to the Ajax endpoint to only views configured to use Ajax.

This week, the CMS platform provider also issued a separate security advisory for Drupal version 7.

According to the notice, versions 7.x - 3.17 are also vulnerable to the same Ajax issue, but no CVE has yet been issued. Users of this build have also been asked to apply the security update for the views module.

The final bug now patched in the new Drupal release is CVE-2017-6924, once again, an access bypass vulnerability. This bug can be exploited via the REST API to permit users without the correct level of permission to post comments which are automatically approved.

However, this only affects Drupal builds with the RESTful Web Services (rest) module enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users are permitted to post comments.

Drupal version 8 prior to Drupal 8.3.7 are vulnerable to these issues.

There are no new features in the latest version of Drupal, but webmasters are urged to update their existing packages to take advantage of the latest round of security fixes.

See also: Drupal patches 10 security flaws, critical issues

In July, Drupal asked users to patch a remote code execution flaw which allowed attackers to completely take over a website using specially crafted requests, run arbitrary code, and potentially hijack servers.

Must-have mobile apps to encrypt your texts and calls

Editorial standards