CVE-2009-4044

The Web Services module 6.x for Drupal does not perform the expected access control, which allows remote attackers to make unspecified use of an API via unknown vectors.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://drupal.org/node/630244	Vendor Advisory
http://www.securityfocus.com/bid/37000
http://www.vupen.com/english/advisories/2009/3218	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/54249
http://drupal.org/node/630244	Vendor Advisory
http://www.securityfocus.com/bid/37000
http://www.vupen.com/english/advisories/2009/3218	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/54249

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:bruno_massa:web_services:6.x-1.0:*:*:*:*:*:*:*

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2009-11-20 19:30

Updated : 2025-04-09 00:30

NVD link : CVE-2009-4044

Mitre link : CVE-2009-4044

CVE.ORG link : CVE-2009-4044

JSON object : View

Products Affected

bruno_massa

web_services

drupal

drupal

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2009-4044", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-11-20T19:30:01.047", "references": [{"url": "http://drupal.org/node/630244", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/37000", "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2009/3218", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54249", "source": "cve@mitre.org"}, {"url": "http://drupal.org/node/630244", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/37000", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.vupen.com/english/advisories/2009/3218", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54249", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The Web Services module 6.x for Drupal does not perform the expected access control, which allows remote attackers to make unspecified use of an API via unknown vectors."}, {"lang": "es", "value": "El m\u00f3dulo \"Web Services\" v6.x de Drupal no realiza correctamente el control de acceso, lo que permite a atacantes remotos para hacer un uso no especificado de una API a trav\u00e9s de vectores desconocidos."}], "lastModified": "2025-04-09T00:30:58.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bruno_massa:web_services:6.x-1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1E33CA31-4EDD-45A9-B3A8-C83DB6E92201"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "799CA80B-F3FA-4183-A791-2071A7DA1E54"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}