{
  "GSD": {
    "alias": "CVE-2017-6922",
    "description": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.",
    "id": "GSD-2017-6922",
    "references": [
      "https://www.debian.org/security/2017/dsa-3897",
      "https://advisories.mageia.org/CVE-2017-6922.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-6922"
      ],
      "details": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.",
      "id": "GSD-2017-6922",
      "modified": "2023-12-13T01:21:09.995992Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "AKA": "",
        "ASSIGNER": "security@drupal.org",
        "DATE_PUBLIC": "",
        "ID": "CVE-2017-6922",
        "STATE": "PUBLIC",
        "TITLE": "Files uploaded by anonymous users into a private file system can be accessed by other anonymous users"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Drupal Core",
                    "version": {
                      "version_data": [
                        {
                          "affected": "\u003c",
                          "platform": "",
                          "version_name": "Drupal 8 ",
                          "version_value": "8.3.3"
                        },
                        {
                          "affected": "\u003c",
                          "platform": "",
                          "version_name": "Drupal 7 ",
                          "version_value": "7.55"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Drupal"
            }
          ]
        }
      },
      "configuration": [],
      "credit": [],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system."
          }
        ]
      },
      "exploit": [],
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "NONE",
          "baseScore": 0,
          "baseSeverity": "NONE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Access Bypass"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "DSA-3897",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2017/dsa-3897"
          },
          {
            "name": "99219",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/99219"
          },
          {
            "name": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple",
            "refsource": "CONFIRM",
            "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"
          },
          {
            "name": "1038781",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1038781"
          }
        ]
      },
      "solution": [],
      "source": {
        "advisory": "SA-CORE-2017-003",
        "defect": [],
        "discovery": "UNKNOWN"
      },
      "work_around": []
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c8.3.4",
          "affected_versions": "All versions before 8.3.4",
          "credit": "David Rothstein, Peter Wolanin, Michael Hess, xjm, Chris McCafferty, Lee Rowlands, Alex Pott, Nathaniel Catchpole, Stefan Ruijsenaars, Nate Haug, Gareth Goodwin",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-552",
            "CWE-937"
          ],
          "date": "2019-10-09",
          "description": "Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core does not provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.",
          "fixed_versions": [
            "8.3.4"
          ],
          "identifier": "CVE-2017-6922",
          "identifiers": [
            "CVE-2017-6922"
          ],
          "not_impacted": "All versions starting from 8.3.4",
          "package_slug": "packagist/drupal/core",
          "pubdate": "2019-01-22",
          "solution": "Upgrade to version 8.3.4 or above.",
          "title": "Files uploaded by anonymous users accessed by other users",
          "urls": [
            "https://www.drupal.org/SA-CORE-2017-003"
          ],
          "uuid": "4a9fc6ad-07c0-4726-8150-28c58c13e1b3"
        },
        {
          "affected_range": "\u003c8.3.4",
          "affected_versions": "All versions before 8.3.4",
          "credit": "David Rothstein, Peter Wolanin, Michael Hess, xjm, Chris McCafferty, Lee Rowlands, Alex Pott, Nathaniel Catchpole, Stefan Ruijsenaars, Nate Haug, Gareth Goodwin",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-552",
            "CWE-937"
          ],
          "date": "2019-10-09",
          "description": "Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core does not provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.",
          "fixed_versions": [
            "8.3.4"
          ],
          "identifier": "CVE-2017-6922",
          "identifiers": [
            "CVE-2017-6922"
          ],
          "not_impacted": "All versions starting from 8.3.4",
          "package_slug": "packagist/drupal/drupal",
          "pubdate": "2019-01-22",
          "solution": "Upgrade to version 8.3.4 or above.",
          "title": "Files uploaded by anonymous users accessed by other users",
          "urls": [
            "https://www.drupal.org/SA-CORE-2017-003"
          ],
          "uuid": "1a4cf83c-499b-4e74-b597-07ba4d9802e4"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.56",
                "versionStartIncluding": "7.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "8.3.4",
                "versionStartIncluding": "8.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@drupal.org",
          "ID": "CVE-2017-6922"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-552"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"
            },
            {
              "name": "DSA-3897",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2017/dsa-3897"
            },
            {
              "name": "1038781",
              "refsource": "SECTRACK",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securitytracker.com/id/1038781"
            },
            {
              "name": "99219",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/99219"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2019-10-09T23:29Z",
      "publishedDate": "2019-01-22T15:29Z"
    }
  }
}

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Drupal core 8.x versions ant\u00e9rieures \u00e0 8.3.4",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    },
    {
      "description": "Drupal core 7.x versions ant\u00e9rieures \u00e0 7.56",
      "product": {
        "name": "Drupal",
        "vendor": {
          "name": "Drupal",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2017-6922",
      "url": "https://www.cve.org/CVERecord?id=CVE-2017-6922"
    },
    {
      "name": "CVE-2017-6921",
      "url": "https://www.cve.org/CVERecord?id=CVE-2017-6921"
    },
    {
      "name": "CVE-2017-6920",
      "url": "https://www.cve.org/CVERecord?id=CVE-2017-6920"
    }
  ],
  "initial_release_date": "2017-06-22T00:00:00",
  "last_revision_date": "2017-06-22T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2017-003 du 21 juin    2017",
      "url": "https://www.drupal.org/SA-CORE-2017-003"
    }
  ],
  "reference": "CERTFR-2017-AVI-192",
  "revisions": [
    {
      "description": "version initiale",
      "revision_date": "2017-06-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eDrupal\u003c/span\u003e. Elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un contournement\nde la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 la confidentialit\u00e9 des\ndonn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Drupal",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Drupal SA-CORE-2017-003 du 21 juin 2017",
      "url": null
    }
  ]
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0"
            },
            {
              "fixed": "7.56"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0"
            },
            {
              "fixed": "8.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/drupal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0"
            },
            {
              "fixed": "7.56"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-6922"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T22:30:57Z",
    "nvd_published_at": "2019-01-22T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.",
  "id": "GHSA-58f3-cx8p-h8jg",
  "modified": "2024-04-23T22:30:57Z",
  "published": "2022-05-13T01:36:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6922"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6922.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6922.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drupal/core"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-3897"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/SA-CORE-2017-003"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99219"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038781"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Drupal core access bypass vulnerability"
}

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "67B5E690-BB08-4EB3-BD48-5301A360187C",
              "versionEndExcluding": "7.56",
              "versionStartIncluding": "7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0C572FD-C76D-4714-85A3-5CFF9F292C2C",
              "versionEndExcluding": "8.3.4",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system."
    },
    {
      "lang": "es",
      "value": "En Drupal core, en las versiones 8.x anteriores a la 8.3.4 y en las 7.x anteriores a la 7.56, los archivos privados subidos por un usuario an\u00f3nimo que no est\u00e9n conectados al contenido del sitio deber\u00edan ser visibles solo para el mismo usuario an\u00f3nimo que los subi\u00f3, en lugar de todos los usuarios an\u00f3nimos.  Anteriormente, Drupal core no dispon\u00eda de esta protecci\u00f3n, permitiendo que ocurriera una vulnerabilidad de omisi\u00f3n de acceso. Este problema se mitiga por el hecho de que, para que se vea afectado, el sitio deber\u00e1 permitir a los usuarios an\u00f3nimos subir archivos a un sistema de archivos privado."
    }
  ],
  "id": "CVE-2017-6922",
  "lastModified": "2024-11-21T03:30:49.050",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-01-22T15:29:00.223",
  "references": [
    {
      "source": "mlhess@drupal.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/99219"
    },
    {
      "source": "mlhess@drupal.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1038781"
    },
    {
      "source": "mlhess@drupal.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2017/dsa-3897"
    },
    {
      "source": "mlhess@drupal.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/99219"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1038781"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2017/dsa-3897"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"
    }
  ],
  "sourceIdentifier": "mlhess@drupal.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-552"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-6922"
    }
  },
  "description": "Drupal\u662fDrupal\u793e\u533a\u6240\u7ef4\u62a4\u7684\u4e00\u5957\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u514d\u8d39\u3001\u5f00\u6e90\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nDrupal 7.56\u4e4b\u524d\u76847.x\u7248\u672c\u548c8.3.4\u4e4b\u524d\u76848.x\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\uff0c\u6267\u884c\u672a\u6388\u6743\u7684\u64cd\u4f5c\u3002",
  "discovererName": "Greg Knaddison, Mori Sugimoto of the Drupal Security team, and iancawthorne.",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.drupal.org/SA-CORE-2017-003",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-13904",
  "openTime": "2017-07-12",
  "patchDescription": "Drupal\u662fDrupal\u793e\u533a\u6240\u7ef4\u62a4\u7684\u4e00\u5957\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u514d\u8d39\u3001\u5f00\u6e90\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nDrupal 7.56\u4e4b\u524d\u76847.x\u7248\u672c\u548c8.3.4\u4e4b\u524d\u76848.x\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\uff0c\u6267\u884c\u672a\u6388\u6743\u7684\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Drupal\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Drupal Drupal 7.*\u003c7.56",
      "Drupal Drupal  8.*\u003c 8.3.4"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/99219",
  "serverity": "\u4e2d",
  "submitTime": "2017-06-23",
  "title": "Drupal\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e"
}