Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 13 Jul 2016 11:41:53 -0400 (EDT)
From: cve-assign@...re.org
To: pere@...a.cat
Cc: cve-assign@...re.org, security@...pal.org, oss-security@...ts.openwall.com
Subject: Re: CVE requests for Drupal Core - SA-CORE-2016-002

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://www.drupal.org/SA-CORE-2016-002
> 
> Saving user accounts can sometimes grant the user all roles (User
> module - Drupal 7 - Moderately Critical)
> 
> A vulnerability exists in the User module, where if some specific
> contributed or custom code triggers a rebuild of the user profile
> form, a registered user can be granted all user roles on the site.
> This would typically result in the user gaining administrative access.

Use CVE-2016-6211.


> https://www.drupal.org/SA-CORE-2016-002
> https://www.drupal.org/node/2749333
> 
> Views can allow unauthorized users to see Statistics information
> (Views module - Drupal 8 - Less Critical)
> 
> An access bypass vulnerability exists in the Views module, where users
> without the "View content count" permission can see the number of hits
> collected by the Statistics module for results in the view.
> 
> The same vulnerability exists in the Drupal 7 Views module (see
> SA-CONTRIB-2016-036).

Use CVE-2016-6212 for both the issue in Drupal Core and the issue
in the Drupal 7 Views module.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXhmCYAAoJEHb/MwWLVhi2ynoQALLaB0MVbyjGwof2sl9iAbiX
pTLnCnGhO6ecpwWJdtRB4W4DEF6L/h3X7ggiohGaD6okdQtjLF8ykSrvb2mciAsE
gOjNpN9qK16hjAcd2DtSnXn32Qz1tFpFYYIWdSthO1hlI6Sr24B3E9lYtBoAhC1/
VudXovTed0jBW95EvS0lWPMYcOGEtSoQ3rLOKEcnQqzIrlH6hs3bRQNsZLgupsB1
dGY4gsHFleDZKyZLP15KWbONnyfS6jHp7SIXne977vgWKpDYy/5+XSN7YvKks/Ju
q3a0oLn8N4CreZrCIWl6CbgG0iA75xzlgsgayg+xRabFEavL2EonPPJIvBj3TxtM
d2RVPnfGGuLmvOh+c5fBYs6gVftRJa9nUaIXou+1Xs6LQo5RDypFPCDzpblcWSe8
QX0AXVE/lCGP1szzCXPqUFWoXMFvwlnFnIwPpJrwO/eADc8P6XsOwsvDbqMFEzlI
r5Mj+d0/5q5NrCf9GWjSi7YTrDQa1ft8SkUsgyCtRwmYIhUyuSIzStoPM+MvLOQv
grzXK6F4QqH33z7ru+fdbq5XIIGmk2dQOtgY+MZXxVDNcVmSgZOvwInMMUgnuKpR
uF78CqNit4FfzyOngGGDR901xfxY9PuHjAbdY2rwITsflsFPWw6z8O+7z0T98IWo
XXHA0Ya2kF2RiLDCX1fN
=CcX4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ