#VU448 Access bypass in Drupal - CVE-2014-5020

Cybersecurity Help s.r.o.

Published: 2016-09-14

Vulnerability identifier: #VU448

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-5020

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to attaching of specially crafted files to the content. Unsufficient checking of attached files by File module expose acess to personal user's data.
Successful exploitation of this vulnerability allows a remote attacker to gain access to potentially sensitive information.

Mitigation
Update to 7.29.
https://www.drupal.org/drupal-7.29-release-notes

Vulnerable software versions

Drupal: 7.0 - 7.28

External links
https://www.drupal.org/SA-CORE-2014-003

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Debian update for drupal7

Fedora EPEL 6 update for drupal7

Fedora EPEL 5 update for drupal7

Fedora EPEL 6 update for drupal7

Fedora EPEL 5 update for drupal7

Fedora EPEL 6 update for drupal7