Security restrictions bypass in Drupal - CVE-2017-6928
Published: February 22, 2018 / Updated: March 23, 2018
Vulnerability identifier: #VU10701
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-6928
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The disclosed vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to improper access check for unusual site configurations when one module is trying to grant access to the file and another is trying to deny it. A remote attacker can bypass private file access.
How to mitigate CVE-2017-6928
Update to version 7.57.