A critical vulnerability in the Drupal Core engine was addressed in an update released Wednesday.Drupal engineers are calling it an access bypass vuln
A critical vulnerability in the Drupal Core engine was addressed in an update released Wednesday.
Drupal engineers are calling it an access bypass vulnerability and said a Drupal-based website is vulnerable only under certain conditions, including whether a site has the RESTful Web Services module enabled, whether it allows PATCH requests, and whether an attacker gets access to or registers a user account on such a site.
Version 8 of the content management system prior to 8.2.8 and 8.31 is affected; Drupal 7.x is not affected, the advisory said.
“While we don’t normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely,” the advisory said.
Drupal recommends sites running on 8.2.7 or earlier be upgraded to 8.2.8, and sites running 8.3.0 be upgraded to 8.3.1.
In March, a maintenance release for the Drupal Core was made available, and it included a number of security fixes, including a remote code execution vulnerability in an unnamed third-party development library integrated into Drupal 8.
The March update also patched an access bypass flaw. Drupal said that its editor module would not check access for private files added via text editors such as CKEditor.
Finally, a cross-site request forgery flaw in some administrative paths was also patched in March. Those paths, Drupal said, were lacking CSRF protections; an attacker could in turn disable some of those blocks.
Before March, there hadn’t been a security update for Drupal since last fall. In November, cache poisoning and denial of service vulnerabilities were patched in the core engine, while in September, three bugs were addressed, including cross-site scripting vulnerability, an issue where an attacker could download a system configuration report without authorization, and an issue around permissions for comments administration on a Drupal site.