This was a critical access bypass vulnerability. A site was only affected by this when the following conditions were met:
– The site has the RESTful Web Services (rest) module enabled.
– The site allows PATCH requests.
– An attacker can get or register a user account on the site.
Part of security release SA-CORE-2017-002
This vulnerability affects the following application versions:
- Drupal 8.0.0
- Drupal 8.0.1
- Drupal 8.0.2
- Drupal 8.0.3
- Drupal 8.0.4
- Drupal 8.0.5
- Drupal 8.0.6
- Drupal 8.1.0
- Drupal 8.1.1
- Drupal 8.1.2
- Drupal 8.1.3
- Drupal 8.1.4
- Drupal 8.1.5
- Drupal 8.1.6
- Drupal 8.1.7
- Drupal 8.1.8
- Drupal 8.1.9
- Drupal 8.1.10
- Drupal 8.2.0
- Drupal 8.2.1
- Drupal 8.2.2
- Drupal 8.2.3
- Drupal 8.2.4
- Drupal 8.2.5
- Drupal 8.2.6
- Drupal 8.2.7
- Drupal 8.3.0