CVE-2022-25277

Name of the Vulnerable Software and Affected Versions Drupal core versions 7, 9.3, and 9.4

Description The issue arises from the incorrect interaction between two protections in Drupal core: one that sanitizes filenames with dangerous extensions upon upload and another that strips leading and trailing dots from filenames to prevent uploading server configuration files. If a site is configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized, potentially allowing bypassing of the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This is mitigated by the requirement for a field administrator to explicitly configure a file field to allow htaccess as an extension or for a contributed module or custom code to override allowed file uploads.

Recommendations For Drupal core version 7: Update to version 7.91. For Drupal core version 9.3: Update to version 9.3.19. For Drupal core version 9.4: Update to version 9.4.3. As a temporary workaround, consider restricting the upload of files with an htaccess extension until the issue is resolved.