| Vulnerability Name: | CVE-2017-6922 (CCN-127568) | ||||||||||||||||||||
| Assigned: | 2017-06-21 | ||||||||||||||||||||
| Published: | 2017-06-21 | ||||||||||||||||||||
| Updated: | 2019-10-09 | ||||||||||||||||||||
| Summary: | In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system. | ||||||||||||||||||||
| CVSS v3 Severity: | 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) 5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||
| CVSS v2 Severity: | 4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
| ||||||||||||||||||||
| Vulnerability Type: | CWE-552 | ||||||||||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2017-6922 Source: CCN Type: IBM Security Bulletin 2005722 (API Connect) Weaker than expected security in IBM API Connect Developer Portal (CVE-2017-6922) Source: BID Type: Third Party Advisory, VDB Entry 99219 Source: CCN Type: BID-99219 Drupal Core CVE-2017-6922 Access Bypass Vulnerability Source: SECTRACK Type: Third Party Advisory, VDB Entry 1038781 Source: XF Type: UNKNOWN drupal-cve20176922-sec-bypass(127568) Source: DEBIAN Type: Third Party Advisory DSA-3897 Source: CONFIRM Type: Patch, Vendor Advisory https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple Source: CCN Type: DRUPAL-SA-CORE-2017-003 Drupal Core - Multiple Vulnerabilities Source: CCN Type: WhiteSource Vulnerability Database CVE-2017-6922 | ||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||
| |||||||||||||||||||||
| BACK | |||||||||||||||||||||