QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2017-6922

Back to search

CVE-2017-6922

Published: Jan 22, 2019

Modified: Sep 16, 2024

PUBLISHED

Description

In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

VendorProductVersions

Drupal

Drupal Core

affected
Drupal 8 - < 8.3.3
affected
Drupal 7 - < 7.55

References

DSA-3897
vendor-advisory
x_refsource_DEBIAN
99219
vdb-entry
x_refsource_BID
1038781
vdb-entry
x_refsource_SECTRACK

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now