CVE-2017-6377 — Incorrect Authorization in Drupal Core

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 47.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal Drupal Core

Timeline

PublishedMar 16

Latest updateMay 13

Description

When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Packagistdrupal/core8.2.0 — 8.2.7

▶Packagistdrupal/drupal8.2.0 — 8.2.7

▶NVDdrupal/drupal7 versions+6

▶CVEListV5drupal/drupal_core8.2.x versions before 8.2.7

🔴Vulnerability Details

GHSA

Drupal editor module incorrectly checks access to inline private files↗2022-05-13

▶

OSV

Drupal editor module incorrectly checks access to inline private files↗2022-05-13

▶

CVEList

CVE-2017-6377: When adding a private file via the editor in Drupal 8↗2017-03-16

▶