4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.967 High
EPSS
Percentile
99.7%
The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties.
The module’s entity wrapper access API doesn’t sufficiently protect comment, user and node statistics properties from unprivileged user access.
This vulnerability is mitigated by the fact that a module must be enabled that relies on the Entity property access API and it must be configured to expose either comment, user or node statistics properties. One example would be the RESTful Web Services module (RESTWS) with the permission configured to access the comment, user or node resource for untrusted web service consumers.
The module’s entity wrapper access API doesn’t sufficiently check entity access on referenced entities such as taxonomy terms.
This vulnerability is mitigated by the fact that a module must be enabled that uses the access() method of entity metadata wrappers to determine access to a property which references multiple entities to which access is not granted. One example would be the RESTful Web Services module (RESTWS) with respectively configured permissions on an entity property or (entity reference) field, for example a list of (unaccessible) referenced user entities on a node entity.
The module’s entity_access() API doesn’t protect unpublished comments from being viewed by unprivileged users.
This vulnerability is mitigated by the fact a module must be enabled which uses the provided entity access API on comments and the comment module must be enabled.
Drupal core is not affected. If you do not use the contributed Entity API module, there is nothing you need to do.
Install the latest version:
Also see the Entity API project page.
drupal.org/contact
drupal.org/project/entity
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/writing-secure-code
drupal.org/user/125814
drupal.org/user/16747
drupal.org/user/262198
drupal.org/user/3064
drupal.org/user/449000
drupal.org/user/45640
drupal.org/user/69959
twitter.com/drupalsecurity
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.967 High
EPSS
Percentile
99.7%