CVE-2017-6928 - OpenCVE

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Drupal	Drupal

Configuration 1 [-]

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

No data.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html
https://www.debian.org/security/2018/dsa-4123
https://www.drupal.org/sa-core-2018-001

History

No history.

MITRE

Status: PUBLISHED

Assigner: drupal

Published: 2018-03-01T22:00:00Z

Updated: 2024-09-16T23:11:04.095Z

Reserved: 2017-03-16T00:00:00

Link: CVE-2017-6928

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-03-01T23:29:00.357

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-6928

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Drupal Core", "vendor": "Drupal.org", "versions": [{"status": "affected", "version": "Drupal 7.x versions before 7.57"}]}], "datePublic": "2018-02-21T00:00:00", "descriptions": [{"lang": "en", "value": "Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations."}], "problemTypes": [{"descriptions": [{"description": "Access bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-02T10:57:01", "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal"}, "references": [{"name": "DSA-4123", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4123"}, {"name": "[debian-lts-announce] 20180228 [SECURITY] [DLA 1295-1] drupal7 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/sa-core-2018-001"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@drupal.org", "DATE_PUBLIC": "2018-02-21T00:00:00", "ID": "CVE-2017-6928", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Drupal Core", "version": {"version_data": [{"version_value": "Drupal 7.x versions before 7.57"}]}}]}, "vendor_name": "Drupal.org"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Access bypass"}]}]}, "references": {"reference_data": [{"name": "DSA-4123", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4123"}, {"name": "[debian-lts-announce] 20180228 [SECURITY] [DLA 1295-1] drupal7 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html"}, {"name": "https://www.drupal.org/sa-core-2018-001", "refsource": "CONFIRM", "url": "https://www.drupal.org/sa-core-2018-001"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:49:02.767Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-4123", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4123"}, {"name": "[debian-lts-announce] 20180228 [SECURITY] [DLA 1295-1] drupal7 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/sa-core-2018-001"}]}]}, "cveMetadata": {"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "assignerShortName": "drupal", "cveId": "CVE-2017-6928", "datePublished": "2018-03-01T22:00:00Z", "dateReserved": "2017-03-16T00:00:00", "dateUpdated": "2024-09-16T23:11:04.095Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAF33815-3D31-4DC0-90EB-2649F94EA368", "versionEndExcluding": "7.57", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations."}, {"lang": "es", "value": "Las versiones 7.x de Drupal core anteriores a la 7.57, cuando emplean el sistema de archivos privado de Drupal, comprobar\u00e1n si un usuario tiene acceso a un archivo antes de permitirle verlo o descargarlo. Esta comprobaci\u00f3n fracasa en ciertos casos en los que un m\u00f3dulo intenta otorgar acceso al archivo y otro intenta denegarlo, lo que conduce a una vulnerabilidad de omisi\u00f3n de acceso. La vulnerabilidad se mitiga por el hecho de que solo ocurre en configuraciones de sitio poco comunes."}], "id": "CVE-2017-6928", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-01T23:29:00.357", "references": [{"source": "mlhess@drupal.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html"}, {"source": "mlhess@drupal.org", "tags": ["Issue Tracking"], "url": "https://www.debian.org/security/2018/dsa-4123"}, {"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-core-2018-001"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}