Vulnerability CVE-2012-1591

Vulnerability Name:

CVE-2012-1591 (CCN-75388)

Assigned:

2012-05-02

Published:

2012-05-02

Updated:

2013-12-13

Summary:

The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
4.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
4.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2012-1591

Source: CONFIRM
Type: Patch
http://drupal.org/drupal-7.14

Source: CONFIRM
Type: UNKNOWN
http://drupal.org/node/1507988

Source: CCN
Type: DRUPAL-SA-CORE-2012-002
SA-CORE-2012-002 - Drupal core multiple vulnerabilities

Source: CONFIRM
Type: Vendor Advisory
http://drupal.org/node/1557938

Source: CCN
Type: Drupal Web Site
Drupal

Source: CONFIRM
Type: UNKNOWN
http://drupalcode.org/project/drupal.git/commit/3bf6761ff7537dc68e22ea73f155134f3cfd41a8

Source: CCN
Type: SA49012
Drupal Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
49012

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2013:074

Source: CCN
Type: OSVDB ID: 81681
Drupal Cached Image Style Page Request Parsing Image Derivative Disclosure

Source: BID
Type: UNKNOWN
53359

Source: CCN
Type: BID-53359
Drupal Core Multiple Access Security Bypass Vulnerabilities

Source: XF
Type: UNKNOWN
drupal-images-security-bypass(75388)

Vulnerable Configuration:

Configuration 1:

cpe:/a:drupal:drupal:7.0:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:alpha1:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:alpha2:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:alpha3:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:alpha4:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:alpha5:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:alpha6:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:alpha7:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:beta1:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:beta2:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:beta3:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:dev:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:rc1:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:rc2:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:rc3:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.0:rc4:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.1:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.2:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.3:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.4:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.5:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.6:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.7:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.8:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.9:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.10:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.11:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.12:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.13:*:*:*:*:*:*:*

OR cpe:/a:drupal:drupal:7.x-dev:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:drupal:drupal:7.0:alpha1:*:*:*:*:*:*