CVE-2017-6930

{"id": "CVE-2017-6930", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2018-03-01T23:29:00.450", "references": [{"url": "https://www.drupal.org/sa-core-2018-001", "tags": ["Vendor Advisory"], "source": "mlhess@drupal.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records()."}, {"lang": "es", "value": "En las versiones 8.4.x de Drupal anteriores a la 8.4.5, al emplear controles de acceso a nodos con un sitio multiling\u00fce, Drupal marca la versi\u00f3n sin traducir de un nodo como la reserva por defecto para consultas de acceso. Esta reserva se emplea para lenguajes que a\u00fan no cuentan con una versi\u00f3n traducida del nodo creado. Esto puede resultar en una vulnerabilidad de omisi\u00f3n de acceso. El problema se mitiga por el hecho de que solo aplica a sitios que a) emplean el m\u00f3dulo Content Translation y b) emplean un m\u00f3dulo de acceso a nodos como Domain Access que implementa hook_node_access_records()."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C4AF907-5109-48BA-B510-8BC32A82C632", "versionEndExcluding": "8.4.5", "versionStartIncluding": "8.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "mlhess@drupal.org"}