CVE-2017-6922 - OpenCVE

In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Drupal	Drupal

Configuration 1 [-]

OR	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal::::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/99219	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1038781	Third Party Advisory VDB Entry
https://www.debian.org/security/2017/dsa-3897	Third Party Advisory
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: drupal

Published: 2019-01-22T15:00:00

Updated: 2019-01-23T10:57:01

Reserved: 2017-03-16T00:00:00

Link: CVE-2017-6922

JSON object: View

NVD Information

Status : Modified

Published: 2019-01-22T15:29:00.223

Modified: 2023-11-07T02:49:59.607

Link: CVE-2017-6922

JSON object: View

Redhat Information

No data.

CWE

CWE-552

{"containers": {"cna": {"affected": [{"product": "Drupal Core", "vendor": "Drupal", "versions": [{"lessThan": "8.3.3", "status": "affected", "version": "Drupal 8 ", "versionType": "custom"}, {"lessThan": "7.55", "status": "affected", "version": "Drupal 7 ", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system."}], "problemTypes": [{"descriptions": [{"description": "Access Bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-01-23T10:57:01", "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal"}, "references": [{"name": "DSA-3897", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2017/dsa-3897"}, {"name": "99219", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/99219"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"}, {"name": "1038781", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1038781"}], "source": {"advisory": "SA-CORE-2017-003", "discovery": "UNKNOWN"}, "title": "Files uploaded by anonymous users into a private file system can be accessed by other anonymous users", "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@drupal.org", "DATE_PUBLIC": "", "ID": "CVE-2017-6922", "STATE": "PUBLIC", "TITLE": "Files uploaded by anonymous users into a private file system can be accessed by other anonymous users"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Drupal Core", "version": {"version_data": [{"affected": "<", "platform": "", "version_affected": "<", "version_name": "Drupal 8 ", "version_value": "8.3.3"}, {"affected": "<", "platform": "", "version_affected": "<", "version_name": "Drupal 7 ", "version_value": "7.55"}]}}]}, "vendor_name": "Drupal"}]}}, "configuration": [], "credit": [], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system."}]}, "exploit": [], "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Access Bypass"}]}]}, "references": {"reference_data": [{"name": "DSA-3897", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2017/dsa-3897"}, {"name": "99219", "refsource": "BID", "url": "http://www.securityfocus.com/bid/99219"}, {"name": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple", "refsource": "CONFIRM", "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"}, {"name": "1038781", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038781"}]}, "solution": [], "source": {"advisory": "SA-CORE-2017-003", "defect": [], "discovery": "UNKNOWN"}, "work_around": []}}}, "cveMetadata": {"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "assignerShortName": "drupal", "cveId": "CVE-2017-6922", "datePublished": "2019-01-22T15:00:00", "dateReserved": "2017-03-16T00:00:00", "dateUpdated": "2019-01-23T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "67B5E690-BB08-4EB3-BD48-5301A360187C", "versionEndExcluding": "7.56", "versionStartIncluding": "7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0C572FD-C76D-4714-85A3-5CFF9F292C2C", "versionEndExcluding": "8.3.4", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system."}, {"lang": "es", "value": "En Drupal core, en las versiones 8.x anteriores a la 8.3.4 y en las 7.x anteriores a la 7.56, los archivos privados subidos por un usuario an\u00f3nimo que no est\u00e9n conectados al contenido del sitio deber\u00edan ser visibles solo para el mismo usuario an\u00f3nimo que los subi\u00f3, en lugar de todos los usuarios an\u00f3nimos. Anteriormente, Drupal core no dispon\u00eda de esta protecci\u00f3n, permitiendo que ocurriera una vulnerabilidad de omisi\u00f3n de acceso. Este problema se mitiga por el hecho de que, para que se vea afectado, el sitio deber\u00e1 permitir a los usuarios an\u00f3nimos subir archivos a un sistema de archivos privado."}], "id": "CVE-2017-6922", "lastModified": "2023-11-07T02:49:59.607", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-01-22T15:29:00.223", "references": [{"source": "mlhess@drupal.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/99219"}, {"source": "mlhess@drupal.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1038781"}, {"source": "mlhess@drupal.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-3897"}, {"source": "mlhess@drupal.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "nvd@nist.gov", "type": "Primary"}]}