Access Bypass in Drupal's Revision System for Node and Media Content
CVE-2022-25274

5.4MEDIUM

Key Information:

Vendor: Drupal
Status: Core
Vendor: CVE Published:; 26 April 2023

Summary

Drupal 9.3 introduced a generic entity access API for managing entity revisions. However, the API was not fully integrated with the existing permission system, leading to potential access bypass for users who can interact with content revisions without possessing the requisite permissions for specific items within node and media content. This issue primarily affects installations utilizing Drupal's revision system, thereby posing a risk to content security.

Affected Version(s)

Core 9.3 < 9.3.12

References

https://www.drupal.org/sa-core-2022-009

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 26, 2023
Vulnerability Reserved
Feb 16, 2022