⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.
CVE-2017-6922 — Files or Directories Accessible to External Parties in Drupal Core
Severity
6.5MEDIUMNVD
EPSS
1.8%
top 17.22%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedJan 22
Latest updateMay 13
Description
In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload file…
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages4 packages
Also affects: Debian Linux 8.0, 9.0
Patches
🔴Vulnerability Details
5CVEList▶
Files uploaded by anonymous users into a private file system can be accessed by other anonymous users↗2019-01-22
💬Community
3Bugzilla▶
CVE-2017-6922 drupal7: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users [epel-all]↗2017-06-22
Bugzilla▶
CVE-2017-6922 drupal7: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users [fedora-all]↗2017-06-22
Bugzilla▶
CVE-2017-6922 drupal7: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users↗2017-06-22