#VU10701 Security restrictions bypass in Drupal - CVE-2017-6928
Published: February 22, 2018 / Updated: March 23, 2018
Vulnerability identifier: #VU10701
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-6928
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Drupal
Drupal
Software vendor:
Drupal
Drupal
Description
The disclosed vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to improper access check for unusual site configurations when one module is trying to grant access to the file and another is trying to deny it. A remote attacker can bypass private file access.
Remediation
Update to version 7.57.