CVE-2017-6379 - OpenCVE

Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:H/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Drupal	Drupal

Configuration 1 [-]

OR	cpe:2.3:a:drupal:drupal:8.2.0:::::::*
	cpe:2.3:a:drupal:drupal:8.2.0:beta1::::::
	cpe:2.3:a:drupal:drupal:8.2.0:beta2::::::
	cpe:2.3:a:drupal:drupal:8.2.0:beta3::::::
	cpe:2.3:a:drupal:drupal:8.2.0:rc1::::::
	cpe:2.3:a:drupal:drupal:8.2.0:rc2::::::
	cpe:2.3:a:drupal:drupal:8.2.1:::::::*
	cpe:2.3:a:drupal:drupal:8.2.2:::::::*
	cpe:2.3:a:drupal:drupal:8.2.3:::::::*
	cpe:2.3:a:drupal:drupal:8.2.4:::::::*
	cpe:2.3:a:drupal:drupal:8.2.5:::::::*
	cpe:2.3:a:drupal:drupal:8.2.6:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/96919
http://www.securitytracker.com/id/1038058
https://www.drupal.org/SA-2017-001

History

No history.

MITRE

Status: PUBLISHED

Assigner: drupal

Published: 2017-03-16T14:00:00

Updated: 2024-08-05T15:25:49.262Z

Reserved: 2017-02-28T00:00:00

Link: CVE-2017-6379

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-03-16T14:59:00.267

Modified: 2017-07-12T01:29:18.003

Link: CVE-2017-6379

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Drupal Core", "vendor": "Drupal", "versions": [{"status": "affected", "version": "8.2.x versions before 8.2.7"}]}], "datePublic": "2017-03-15T00:00:00", "descriptions": [{"lang": "en", "value": "Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID."}], "problemTypes": [{"descriptions": [{"description": "Cross Site Request Forgery", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-11T09:57:01", "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal"}, "references": [{"name": "1038058", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1038058"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/SA-2017-001"}, {"name": "96919", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96919"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@drupal.org", "ID": "CVE-2017-6379", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Drupal Core", "version": {"version_data": [{"version_value": "8.2.x versions before 8.2.7"}]}}]}, "vendor_name": "Drupal"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross Site Request Forgery"}]}]}, "references": {"reference_data": [{"name": "1038058", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038058"}, {"name": "https://www.drupal.org/SA-2017-001", "refsource": "CONFIRM", "url": "https://www.drupal.org/SA-2017-001"}, {"name": "96919", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96919"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:25:49.262Z"}, "title": "CVE Program Container", "references": [{"name": "1038058", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1038058"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/SA-2017-001"}, {"name": "96919", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/96919"}]}]}, "cveMetadata": {"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "assignerShortName": "drupal", "cveId": "CVE-2017-6379", "datePublished": "2017-03-16T14:00:00", "dateReserved": "2017-02-28T00:00:00", "dateUpdated": "2024-08-05T15:25:49.262Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "DA084D8B-FEFC-41D5-A384-1DCB297CC1A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:8.2.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "5F5756FE-158A-4194-9E5E-EA918C4A3D1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:8.2.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "F344F3CE-C45E-4C3A-9F48-DAA0F2A49137", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:8.2.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "45C7BA91-93C2-4615-8A4D-11702FF5A155", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:8.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "615DED7F-691F-4EF8-BE82-6E51B4971BFC", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:8.2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "467F335F-6FA1-413F-995F-29136658D969", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "BABC38A1-0034-4CDE-B580-8026D6E0FE39", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:8.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "EFA63C78-B234-4EBA-99A2-070213D1DA19", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:8.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "997EF82A-B6C0-403A-BA58-E174FF2D981F", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:8.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "FAE56E4F-47D3-41F4-951E-3E4BBE74B6D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:8.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "8601673A-8FF8-4430-BB24-038443E1CED8", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:8.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "AFD82372-D143-4AE7-8FE0-40FFD8F3E153", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID."}, {"lang": "es", "value": "Algunos caminos administrativos en Drupal 8.2.x en versiones anteriores a 8.2.7 no incluyeron protecci\u00f3n para CSRF. Esto permitir\u00eda a un atacante deshabilitar algunos bloques en un sitio. Este problema se ve mitigado por el hecho de que los usuarios tendr\u00edan que conocer la ID del bloque."}], "id": "CVE-2017-6379", "lastModified": "2017-07-12T01:29:18.003", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-16T14:59:00.267", "references": [{"source": "mlhess@drupal.org", "url": "http://www.securityfocus.com/bid/96919"}, {"source": "mlhess@drupal.org", "url": "http://www.securitytracker.com/id/1038058"}, {"source": "mlhess@drupal.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://www.drupal.org/SA-2017-001"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}