Drupal Security TeamDRUPAL-SA-CONTRIB-2014-071SA-CONTRIB-2014-071 - FileField - Access bypass
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.7%
The FileField module enables you to define and use fields that contain files.
The module doesn’t sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.
This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.
CVE identifier(s) issued
- CVE-2014-9156
Versions affected
- FileField 6.x-3.x versions prior to 6.x-3.13.
Drupal core is not affected. If you do not use the contributed FileField module, there is nothing you need to do.
Solution
- If you use the FileField module for Drupal 6.x, upgrade to Filefield 6.x-3.13, and also update to Drupal core 6.32 (see SA-CORE-2014-003).
Reported by
Fixed by
- Nate Haug
- Ivan Ch
- David Snopek of the Drupal Security Team.
References
drupal.org/contact
drupal.org/project/filefield
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/writing-secure-code
twitter.com/drupalsecurity
www.drupal.org/drupal-6.32-release-notes
www.drupal.org/node/2304517
www.drupal.org/project/filefield
www.drupal.org/SA-CORE-2014-003
www.drupal.org/user/266527
www.drupal.org/user/35821
www.drupal.org/user/556138
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.7%