Published: 01/03/2018 Updated: 03/10/2019

CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8

CVSS v3 Base Score: 5.3 | Impact Score: 3.6 | Exploitability Score: 1.6

VMScore: 312

Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N

Drupal core 7.x versions prior to 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

Vulnerable Product	Search on Vulmon	Subscribe to Product
drupal drupal
debian debian linux 9.0
debian debian linux 7.0
debian debian linux 8.0

Debian Bug report logs - #891152 drupal7: CVE-2017-6928: SA-CORE-2018-001: Private file access bypass Package: src:drupal7; Maintainer for src:drupal7 is Gunnar Wolf <gwolf@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 22 Feb 2018 19:51:01 UTC Severity: grave Tags: security, upstream ...

Multiple vulnerabilities have been found in the Drupal content management framework For additional information, please refer to the upstream advisory at wwwdrupalorg/sa-core-2018-001 For the oldstable distribution (jessie), this problem has been fixed in version 732-1+deb8u10 For the stable distribution (stretch), this problem has been ...

CWE-732 https://www.drupal.org/sa-core-2018-001 https://www.debian.org/security/2018/dsa-4123 https://lists.debian.org/debian-lts-announce/2018/02/msg00030.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891152 https://nvd.nist.gov https://www.debian.org/security/./dsa-4123

CVE-2017-6928

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect