NVD Vulnerability Detail

CVE-2012-2707

Summary	The Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal does not properly exit when users do not have access to package/task nodes, which allows remote attackers to bypass intended access restrictions and edit unauthorized nodes.
Publication Date	June 27, 2012, 9:55 a.m.
Registration Date	Jan. 28, 2021, 2:58 p.m.
Last Update	Nov. 21, 2024, 10:39 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.2:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.3:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.4:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.5:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.6:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.7:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.8:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.x:dev::::::
execution environment
1	cpe:2.3:a:drupal:drupal:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://community.aegirproject.org/1.9
2	http://community.aegirproject.org/1.9
3	http://drupal.org/node/1585658	Patch
4	http://drupal.org/node/1585658	Patch
5	http://drupal.org/node/1585678	Vendor Advisory
6	http://drupal.org/node/1585678	Vendor Advisory
7	http://drupalcode.org/project/hostmaster.git/commitdiff/8a61101	Exploit Patch
8	http://drupalcode.org/project/hostmaster.git/commitdiff/8a61101	Exploit Patch
9	http://www.openwall.com/lists/oss-security/2012/06/14/3
10	http://www.openwall.com/lists/oss-security/2012/06/14/3
11	http://www.securityfocus.com/bid/53588
12	http://www.securityfocus.com/bid/53588
13	https://exchange.xforce.ibmcloud.com/vulnerabilities/75715
14	https://exchange.xforce.ibmcloud.com/vulnerabilities/75715

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

JVN Vulnerability Information

Drupal 用 Hostmaster モジュールにおけるアクセス制限を回避される脆弱性

Title	Drupal 用 Hostmaster モジュールにおけるアクセス制限を回避される脆弱性
Summary	Drupal 用 Hostmaster (Aegir) モジュールは、ユーザが package/task ノードにアクセスしない場合、適切に終了しないため、アクセス制限を回避され、権限が与えられていないノードを編集される脆弱性が存在します。
Possible impacts	第三者により、アクセス制限を回避され、権限が与えられていないノードを編集される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 16, 2012, midnight
Registration Date	June 29, 2012, 10:10 a.m.
Last Update	June 29, 2012, 10:10 a.m.

Affected System

Aegir project

Hostmaster (Aegir) 6.x-1.9 未満の 6.x-1.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-2707	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2707
National Vulnerability Database (NVD)
2	CVE-2012-2707	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2707

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
Aegir Project
1	1.9 release notes	http://community.aegirproject.org/1.9
Drupal
2	Hostmaster (Aegir)	http://drupal.org/project/hostmaster
3	hostmaster 6.x-1.9	http://drupal.org/node/1585658
4	project/hostmaster.git / commitdiff	http://drupalcode.org/project/hostmaster.git/commitdiff/8a61101
Security advisories
5	DRUPAL-SA-CONTRIB-2012-080	http://drupal.org/node/1585678

Change Log

No	Changed Details	Date of change
0	[2012年06月29日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.2:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.3:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.4:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.5:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.6:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.7:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.8:::::::*
cpe:2.3:a:antoine_beaupre:hostmaster:6.x-1.x:dev::::::
execution environment
1	cpe:2.3:a:drupal:drupal:-:::::::*