CVE-2022-25274

EPSS 0.17%
Veröffentlicht 26.04.2023 14:15:09
Zuletzt bearbeitet 03.02.2025 19:15:08
Quelle mlhess@drupal.org
Teams Watchlist Login
Unerledigt Login

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Drupal ≫ Drupal Version >= 9.3.0 < 9.3.12

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.39

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://www.drupal.org/sa-core-2022-009

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-25274

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-25274

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-25274

EUVD