Improper access control in Drupal

#VU6108 Improper access control in Drupal

Published: 2017-03-17

Vulnerability identifier: #VU6108

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-6377

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description
The vulnerability allows a remote attacker to access potentially sensitive information.

The vulnerability exists due to incorrect permissions assigned for uploaded private files using a configured text editor (like CKEditor). The editor does not correctly check access for the file being attached, which can lead to disclosure of private files.

Mitigation
Update to version 8.2.7.

Vulnerable software versions

Drupal: 8.2.0 - 8.2.6, 8.1.0 - 8.1.10, 8.0.0 - 8.0.6

External links
http://www.drupal.org/SA-2017-001

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Three vulnerabilities in Drupal