CVE-2013-7068 - OpenCVE

The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users to bypass group restrictions on nodes with all groups set to optional input via an empty group field.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Organic Groups Project	Organic Groups

Configuration 1 [-]

OR	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:-::::drupal::*
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:alpha1::::drupal::*
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:alpha2::::drupal::*
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:alpha3::::drupal::*
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:beta1::::drupal::*
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:beta2::::drupal::*
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:beta3::::drupal::*
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:beta4::::drupal::*
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:rc1::::drupal::*
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:rc2::::drupal::*
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:rc3::::drupal::*
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:rc4::::drupal::*
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.1:::::drupal::
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.2:::::drupal::
	cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.x:dev::::drupal::*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2013/12/06/7
http://www.openwall.com/lists/oss-security/2013/12/12/1
https://drupal.org/node/2140209	Patch
https://drupal.org/node/2140217	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2014-04-29T14:00:00

Updated: 2014-04-29T12:57:00

Reserved: 2013-12-11T00:00:00

Link: CVE-2013-7068

JSON object: View

NVD Information

Status : Analyzed

Published: 2014-04-29T14:38:43.907

Modified: 2014-04-29T17:52:47.283

Link: CVE-2013-7068

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-11-20T00:00:00", "descriptions": [{"lang": "en", "value": "The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users to bypass group restrictions on nodes with all groups set to optional input via an empty group field."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-04-29T12:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20131211 Re: CVE request for Drupal core, and contributed modules", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/12/12/1"}, {"tags": ["x_refsource_MISC"], "url": "https://drupal.org/node/2140217"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://drupal.org/node/2140209"}, {"name": "[oss-security] 20131206 CVE request for Drupal core, and contributed modules", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/12/06/7"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-7068", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users to bypass group restrictions on nodes with all groups set to optional input via an empty group field."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20131211 Re: CVE request for Drupal core, and contributed modules", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/12/12/1"}, {"name": "https://drupal.org/node/2140217", "refsource": "MISC", "url": "https://drupal.org/node/2140217"}, {"name": "https://drupal.org/node/2140209", "refsource": "CONFIRM", "url": "https://drupal.org/node/2140209"}, {"name": "[oss-security] 20131206 CVE request for Drupal core, and contributed modules", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/12/06/7"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-7068", "datePublished": "2014-04-29T14:00:00", "dateReserved": "2013-12-11T00:00:00", "dateUpdated": "2014-04-29T12:57:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:-:*:*:*:drupal:*:*", "matchCriteriaId": "AF72996D-7ABE-4F85-ABC8-5D0FA973845A", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:alpha1:*:*:*:drupal:*:*", "matchCriteriaId": "757C478D-3E62-4992-8A78-AD4309955400", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:alpha2:*:*:*:drupal:*:*", "matchCriteriaId": "CF2D03A8-8844-467D-AFB2-F4EDA35EBFF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:alpha3:*:*:*:drupal:*:*", "matchCriteriaId": "1CE40904-4E21-44A0-8EF8-AAF0E7B5726C", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:beta1:*:*:*:drupal:*:*", "matchCriteriaId": "31A865F3-7276-4D4F-A238-1F2A99078DA9", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:beta2:*:*:*:drupal:*:*", "matchCriteriaId": "BF15DDBA-F639-4DEC-804B-8B998C2E906B", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:beta3:*:*:*:drupal:*:*", "matchCriteriaId": "A990C458-AD98-4B69-A27A-A13EDC35D9FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:beta4:*:*:*:drupal:*:*", "matchCriteriaId": "61CA452F-691C-4D5A-8391-827853BA7859", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:rc1:*:*:*:drupal:*:*", "matchCriteriaId": "E52E67B3-9594-4513-9707-03A49ACD6356", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:rc2:*:*:*:drupal:*:*", "matchCriteriaId": "ABA5E86F-070A-4CDC-AE59-0A56B611CF11", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:rc3:*:*:*:drupal:*:*", "matchCriteriaId": "2B0F3805-C347-4799-98D4-45B8131FA4BC", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:rc4:*:*:*:drupal:*:*", "matchCriteriaId": "D0D4979C-61EF-4542-B7C1-186B2BD8F03B", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.1:*:*:*:*:drupal:*:*", "matchCriteriaId": "CA1513EB-F578-4EB9-B117-BC941E204F13", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.2:*:*:*:*:drupal:*:*", "matchCriteriaId": "02206421-1BEA-4E36-83EF-E56B28A94DA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.x:dev:*:*:*:drupal:*:*", "matchCriteriaId": "B2C3EC71-ED91-4FA6-9DBD-F724DD1CBABE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users to bypass group restrictions on nodes with all groups set to optional input via an empty group field."}, {"lang": "es", "value": "El m\u00f3dulo Organic Groups (OG) 7.x-2.x anterior a 7.x-2.3 para Drupal, permite a usuarios remotos autenticados evadir restricciones de grupo en nodos con todos los grupos configurados con entrada de datos opcional a trav\u00e9s de un grupo de campos vac\u00edo."}], "id": "CVE-2013-7068", "lastModified": "2014-04-29T17:52:47.283", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-04-29T14:38:43.907", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2013/12/06/7"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2013/12/12/1"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://drupal.org/node/2140209"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://drupal.org/node/2140217"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}