High severity7.5NVD Advisory· Published Apr 20, 2017· Updated Jun 17, 2026
CVE-2017-6919
CVE-2017-6919
Description
Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0, < 8.2.8 | 8.2.8 |
drupal/corePackagist | >= 8.3.0, < 8.3.1 | 8.3.1 |
drupal/drupalPackagist | >= 8.0, < 8.2.8 | 8.2.8 |
drupal/drupalPackagist | >= 8.3.0, < 8.3.1 | 8.3.1 |
Affected products
73cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:*+ 70 more
- cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha10:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha11:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha12:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha13:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha14:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha15:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha8:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha9:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta10:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta11:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta12:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta13:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta14:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta15:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta16:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta9:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.3.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.3.0:rc2:*:*:*:*:*:*
- ghsa-coords2 versions
>= 8.0, < 8.2.8+ 1 more
- (no CPE)range: >= 8.0, < 8.2.8
- (no CPE)range: >= 8.0, < 8.2.8
Patches
Vulnerability mechanics
References
8- www.drupal.org/SA-CORE-2017-002nvdPatchVendor AdvisoryWEB
- www.securityfocus.com/bid/97941nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-6hpj-9xj7-2jxxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-6919ghsaADVISORY
- www.securitytracker.com/id/1038371nvdWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6919.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6919.yamlghsaWEB
- www.drupal.org/SA-2017-002ghsaWEB
News mentions
0No linked articles in our index yet.