Skip to Main Content

Drupal 8 Core - Critical Access Bypass Vulnerability

A critical access bypass vulnerability has been identified in version 8 of Drupal.  Although neither the exploit code nor documentation for this vulnerability has yet been posted to public forums, based on Drupal's security advisory, the vulnerability is very easy to exploit and should be patched ASAP.  Once exploited, this vulnerability could be used to access or modify any information on the site.
 
The following criteria must be met for the site to be vulnerable:
·       The site has the RESTful Web Services (rest) module enabled.
·       The site allows PATCH requests.
·       An attacker can get or register a user account on the site.
 
Drupal 8 prior to 8.2.8 and Drupal 8.3.0 are vulnerable and should be updated to 8.3.1.
 
For more information visit, https://www.drupal.org/SA-CORE-2017-002