RestWS makes Drupal Entity data available in a REST API.
The module doesn’t sufficiently check for access to properties when filtering queries.
This vulnerability is mitigated by the fact that an attacker must have a role that allows them to access an entity type with access-controlled properties. And the attacker can only query on the property equalling a value supplied by the attacker.
Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.
Install the latest version:
Also see the RESTful Web Services project page.
cve.mitre.org/
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/restws
www.drupal.org/project/restws/releases/7.x-2.7
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/drumm
www.drupal.org/u/mlhess
www.drupal.org/writing-secure-code