PT-2018-8352 · Drupal · Drupal

Anders Olsson

Published

2018-02-24

Updated

2022-05-13

CVE-2017-6928

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Drupal core versions prior to 7.57

Description The issue arises when using Drupal's private file system. Under certain conditions, where one module grants access to a file and another denies it, the access check fails. This leads to an access bypass issue, although it is mitigated by the fact that it only occurs in unusual site configurations.

Recommendations For versions prior to 7.57, update to version 7.57 or later to resolve the issue.

Exploit

Fix

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732

Related Identifiers

CVE-2017-6928

DLA-1295-1

DSA-4123-1

GHSA-66MV-Q8R2-HJ8W

Affected Products

Drupal

PT-2018-8352 · Drupal · Drupal

CVE-2017-6928

Weakness Enumeration

Related Identifiers

Affected Products

References · 13