SCA: security update for drupal/core, drupal/drupal (GHSA-p8g6-5mg7-9r5q)

high Tenable Cloud Security Plugin ID 433417

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post
comments via REST that are approved even if the user does not have permission to post approved comments.
This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity
REST resource enabled, and where an attacker can access a user account on the site with permissions to
post comments, or where anonymous users can post comments. (CVE-2017-6924)

See Also

https://github.com/advisories/GHSA-p8g6-5mg7-9r5q

Plugin Details

Severity: High

ID: 433417

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2017-6924

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/13/2022

Vulnerability Publication Date: 8/16/2017

Reference Information

CVE: CVE-2017-6924

BID: 100368

cwe: CWE-269