Description
The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.
Remediation
References
Related Vulnerabilities
Drupal Core 8.7.x Security Bypass (8.7.0 - 8.7.10)
Apache Tomcat Permissions, Privileges, and Access Controls Vulnerability (CVE-2009-2901)
MySQL CVE-2018-3145 Vulnerability (CVE-2018-3145)
MySQL CVE-2024-21247 Vulnerability (CVE-2024-21247)
Jboss EAP Improper Input Validation Vulnerability (CVE-2011-4314)