CVE-2017-6922 - OpenCVE

In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Drupal	Drupal

Configuration 1 [-]

OR	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/99219
http://www.securitytracker.com/id/1038781
https://www.debian.org/security/2017/dsa-3897
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple

History

No history.

MITRE

Status: PUBLISHED

Assigner: drupal

Published: 2019-01-22T15:00:00Z

Updated: 2024-09-16T19:04:17.971Z

Reserved: 2017-03-16T00:00:00

Link: CVE-2017-6922

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-01-22T15:29:00.223

Modified: 2023-11-07T02:49:59.607

Link: CVE-2017-6922

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Drupal Core", "vendor": "Drupal", "versions": [{"lessThan": "8.3.3", "status": "affected", "version": "Drupal 8", "versionType": "custom"}, {"lessThan": "7.55", "status": "affected", "version": "Drupal 7", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system."}], "problemTypes": [{"descriptions": [{"description": "Access Bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-23T10:57:01", "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal"}, "references": [{"name": "DSA-3897", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2017/dsa-3897"}, {"name": "99219", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99219"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"}, {"name": "1038781", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1038781"}], "source": {"advisory": "SA-CORE-2017-003", "discovery": "UNKNOWN"}, "title": "Files uploaded by anonymous users into a private file system can be accessed by other anonymous users", "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@drupal.org", "DATE_PUBLIC": "", "ID": "CVE-2017-6922", "STATE": "PUBLIC", "TITLE": "Files uploaded by anonymous users into a private file system can be accessed by other anonymous users"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Drupal Core", "version": {"version_data": [{"affected": "<", "platform": "", "version_affected": "<", "version_name": "Drupal 8", "version_value": "8.3.3"}, {"affected": "<", "platform": "", "version_affected": "<", "version_name": "Drupal 7", "version_value": "7.55"}]}}]}, "vendor_name": "Drupal"}]}}, "configuration": [], "credit": [], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system."}]}, "exploit": [], "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Access Bypass"}]}]}, "references": {"reference_data": [{"name": "DSA-3897", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2017/dsa-3897"}, {"name": "99219", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99219"}, {"name": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple", "refsource": "CONFIRM", "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"}, {"name": "1038781", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038781"}]}, "solution": [], "source": {"advisory": "SA-CORE-2017-003", "defect": [], "discovery": "UNKNOWN"}, "work_around": []}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:49:01.343Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-3897", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2017/dsa-3897"}, {"name": "99219", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/99219"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"}, {"name": "1038781", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1038781"}]}]}, "cveMetadata": {"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "assignerShortName": "drupal", "cveId": "CVE-2017-6922", "datePublished": "2019-01-22T15:00:00Z", "dateReserved": "2017-03-16T00:00:00", "dateUpdated": "2024-09-16T19:04:17.971Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "67B5E690-BB08-4EB3-BD48-5301A360187C", "versionEndExcluding": "7.56", "versionStartIncluding": "7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0C572FD-C76D-4714-85A3-5CFF9F292C2C", "versionEndExcluding": "8.3.4", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system."}, {"lang": "es", "value": "En Drupal core, en las versiones 8.x anteriores a la 8.3.4 y en las 7.x anteriores a la 7.56, los archivos privados subidos por un usuario an\u00f3nimo que no est\u00e9n conectados al contenido del sitio deber\u00edan ser visibles solo para el mismo usuario an\u00f3nimo que los subi\u00f3, en lugar de todos los usuarios an\u00f3nimos. Anteriormente, Drupal core no dispon\u00eda de esta protecci\u00f3n, permitiendo que ocurriera una vulnerabilidad de omisi\u00f3n de acceso. Este problema se mitiga por el hecho de que, para que se vea afectado, el sitio deber\u00e1 permitir a los usuarios an\u00f3nimos subir archivos a un sistema de archivos privado."}], "id": "CVE-2017-6922", "lastModified": "2023-11-07T02:49:59.607", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-22T15:29:00.223", "references": [{"source": "mlhess@drupal.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99219"}, {"source": "mlhess@drupal.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1038781"}, {"source": "mlhess@drupal.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-3897"}, {"source": "mlhess@drupal.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "nvd@nist.gov", "type": "Primary"}]}