7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
56.3%
Drupal core sanitizes filenames with dangerous extensions upon upload
(reference: SA-CORE-2020-012) and strips leading and trailing dots from
filenames to prevent uploading server configuration files (reference:
SA-CORE-2019-010). However, the protections for these two vulnerabilities
previously did not work correctly together. As a result, if the site were
configured to allow the upload of files with an htaccess extension, these
files’ filenames would not be properly sanitized. This could allow
bypassing the protections provided by Drupal core’s default .htaccess files
and possible remote code execution on Apache web servers. This issue is
mitigated by the fact that it requires a field administrator to explicitly
configure a file field to allow htaccess as an extension (a restricted
permission), or a contributed module or custom code that overrides allowed
file uploads.