ID CVE-2017-6920
Summary Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.
References
Vulnerable Configurations
  • Drupal 8.0.0
    cpe:2.3:a:drupal:drupal:8.0.0
  • Drupal 8.0.0 Alpha 10
    cpe:2.3:a:drupal:drupal:8.0.0:alpha10
  • Drupal 8.0.0 Alpha 11
    cpe:2.3:a:drupal:drupal:8.0.0:alpha11
  • Drupal 8.0.0 Alpha 12
    cpe:2.3:a:drupal:drupal:8.0.0:alpha12
  • Drupal 8.0.0 Alpha 13
    cpe:2.3:a:drupal:drupal:8.0.0:alpha13
  • Drupal 8.0.0 Alpha 14
    cpe:2.3:a:drupal:drupal:8.0.0:alpha14
  • Drupal 8.0.0 Alpha 15
    cpe:2.3:a:drupal:drupal:8.0.0:alpha15
  • Drupal 8.0.0 Alpha 2
    cpe:2.3:a:drupal:drupal:8.0.0:alpha2
  • Drupal 8.0.0 Alpha 3
    cpe:2.3:a:drupal:drupal:8.0.0:alpha3
  • Drupal 8.0.0 Alpha 4
    cpe:2.3:a:drupal:drupal:8.0.0:alpha4
  • Drupal 8.0.0 Alpha 5
    cpe:2.3:a:drupal:drupal:8.0.0:alpha5
  • Drupal 8.0.0 Alpha 6
    cpe:2.3:a:drupal:drupal:8.0.0:alpha6
  • Drupal 8.0.0 Alpha 7
    cpe:2.3:a:drupal:drupal:8.0.0:alpha7
  • Drupal 8.0.0 Alpha 8
    cpe:2.3:a:drupal:drupal:8.0.0:alpha8
  • Drupal 8.0.0 Alpha 9
    cpe:2.3:a:drupal:drupal:8.0.0:alpha9
  • Drupal 8.0.0 Beta 1
    cpe:2.3:a:drupal:drupal:8.0.0:beta1
  • Drupal 8.0.0 Beta 10
    cpe:2.3:a:drupal:drupal:8.0.0:beta10
  • Drupal 8.0.0 Beta 11
    cpe:2.3:a:drupal:drupal:8.0.0:beta11
  • Drupal 8.0.0 Beta 12
    cpe:2.3:a:drupal:drupal:8.0.0:beta12
  • Drupal 8.0.0 Beta 13
    cpe:2.3:a:drupal:drupal:8.0.0:beta13
  • Drupal 8.0.0 Beta 14
    cpe:2.3:a:drupal:drupal:8.0.0:beta14
  • Drupal 8.0.0 Beta 15
    cpe:2.3:a:drupal:drupal:8.0.0:beta15
  • Drupal 8.0.0 Beta 16
    cpe:2.3:a:drupal:drupal:8.0.0:beta16
  • Drupal 8.0.0 Beta 2
    cpe:2.3:a:drupal:drupal:8.0.0:beta2
  • Drupal 8.0.0 Beta 3
    cpe:2.3:a:drupal:drupal:8.0.0:beta3
  • Drupal 8.0.0 Beta 4
    cpe:2.3:a:drupal:drupal:8.0.0:beta4
  • Drupal 8.0.0 Beta 6
    cpe:2.3:a:drupal:drupal:8.0.0:beta6
  • Drupal 8.0.0 Beta 7
    cpe:2.3:a:drupal:drupal:8.0.0:beta7
  • Drupal 8.0.0 Beta 9
    cpe:2.3:a:drupal:drupal:8.0.0:beta9
  • Drupal 8.0.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:8.0.0:rc1
  • Drupal 8.0.0 Release Candidate 2
    cpe:2.3:a:drupal:drupal:8.0.0:rc2
  • Drupal 8.0.0 Release Candidate 3
    cpe:2.3:a:drupal:drupal:8.0.0:rc3
  • Drupal 8.0.0 Release Candidate 4
    cpe:2.3:a:drupal:drupal:8.0.0:rc4
  • Drupal 8.0.1
    cpe:2.3:a:drupal:drupal:8.0.1
  • Drupal 8.0.2
    cpe:2.3:a:drupal:drupal:8.0.2
  • Drupal 8.0.3
    cpe:2.3:a:drupal:drupal:8.0.3
  • Drupal 8.0.4
    cpe:2.3:a:drupal:drupal:8.0.4
  • Drupal 8.0.5
    cpe:2.3:a:drupal:drupal:8.0.5
  • Drupal 8.0.6
    cpe:2.3:a:drupal:drupal:8.0.6
  • Drupal 8.1.0
    cpe:2.3:a:drupal:drupal:8.1.0
  • Drupal 8.1.0 Beta 1
    cpe:2.3:a:drupal:drupal:8.1.0:beta1
  • Drupal 8.1.0 Beta 2
    cpe:2.3:a:drupal:drupal:8.1.0:beta2
  • Drupal 8.1.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:8.1.0:rc1
  • Drupal 8.1.1
    cpe:2.3:a:drupal:drupal:8.1.1
  • Drupal 8.1.2
    cpe:2.3:a:drupal:drupal:8.1.2
  • Drupal 8.1.3
    cpe:2.3:a:drupal:drupal:8.1.3
  • Drupal 8.1.4
    cpe:2.3:a:drupal:drupal:8.1.4
  • Drupal 8.1.5
    cpe:2.3:a:drupal:drupal:8.1.5
  • Drupal 8.1.6
    cpe:2.3:a:drupal:drupal:8.1.6
  • Drupal 8.1.7
    cpe:2.3:a:drupal:drupal:8.1.7
  • Drupal 8.1.8
    cpe:2.3:a:drupal:drupal:8.1.8
  • Drupal 8.1.9
    cpe:2.3:a:drupal:drupal:8.1.9
  • Drupal 8.1.10
    cpe:2.3:a:drupal:drupal:8.1.10
  • Drupal 8.2.0
    cpe:2.3:a:drupal:drupal:8.2.0
  • Drupal 8.2.0 Beta 1
    cpe:2.3:a:drupal:drupal:8.2.0:beta1
  • Drupal 8.2.0 Beta 2
    cpe:2.3:a:drupal:drupal:8.2.0:beta2
  • Drupal 8.2.0 Beta 3
    cpe:2.3:a:drupal:drupal:8.2.0:beta3
  • Drupal 8.2.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:8.2.0:rc1
  • Drupal 8.2.0 Release Candidate 2
    cpe:2.3:a:drupal:drupal:8.2.0:rc2
  • Drupal 8.2.1
    cpe:2.3:a:drupal:drupal:8.2.1
  • Drupal 8.2.2
    cpe:2.3:a:drupal:drupal:8.2.2
  • Drupal 8.2.3
    cpe:2.3:a:drupal:drupal:8.2.3
  • Drupal 8.2.4
    cpe:2.3:a:drupal:drupal:8.2.4
  • Drupal 8.2.5
    cpe:2.3:a:drupal:drupal:8.2.5
  • Drupal 8.2.6
    cpe:2.3:a:drupal:drupal:8.2.6
  • Drupal 8.2.7
    cpe:2.3:a:drupal:drupal:8.2.7
  • Drupal 8.3.0
    cpe:2.3:a:drupal:drupal:8.3.0
  • Drupal 8.3.0 Alpha 1
    cpe:2.3:a:drupal:drupal:8.3.0:alpha1
  • Drupal 8.3.0 Beta 1
    cpe:2.3:a:drupal:drupal:8.3.0:beta1
  • Drupal 8.3.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:8.3.0:rc1
  • Drupal 8.3.0 Release Candidate 2
    cpe:2.3:a:drupal:drupal:8.3.0:rc2
CVSS
Base: 7.5
Impact:
Exploitability:
CWE CWE-19
CAPEC
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4FC2DF49627911E7BE0F6CF0497DB129.NASL
    description Drupal Security Team Reports : CVE-2017-6920: PECL YAML parser unsafe object handling. CVE-2017-6921: File REST resource does not properly validate CVE-2017-6922: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users.
    last seen 2018-10-06
    modified 2018-10-05
    plugin id 101276
    published 2017-07-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101276
    title FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (4fc2df49-6279-11e7-be0f-6cf0497db129)
  • NASL family CGI abuses
    NASL id DRUPAL_8_3_4.NASL
    description According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.56 or 8.x prior to 8.3.4. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the PECL YAML parser due to unsafe handling of PHP objects during certain operations. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-6920) - A flaw exists in the file REST resource due to improper validation of user-supplied input to multiple fields when manipulating files. An unauthenticated, remote attacker can exploit this to have an unspecified impact on integrity. Note that a site is only affected by this issue if it has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and the attacker can get or register a user account on the site with permissions to upload files and to modify the file resource. (CVE-2017-6921) - An information disclosure vulnerability exists due to a failure to ensure that private files that have been uploaded by an anonymous user but not permanently attached to content on the site are only visible to the anonymous user who uploaded them instead of all anonymous users. An unauthenticated, remote attacker can exploit this to disclose the files of other anonymous users. (CVE-2017-6922) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2018-10-05
    modified 2018-06-14
    plugin id 101063
    published 2017-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101063
    title Drupal 7.x < 7.56 / 8.x < 8.3.4 Multiple Vulnerabilities (SA-CORE-2017-003)
refmap via4
bid 99211
confirm https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple
sectrack 1038781
Last major update 07-08-2018 - 21:29
Published 06-08-2018 - 11:29
Last modified 04-10-2018 - 12:16
Back to Top