CVE-2020-13670 — Resource Exposure in Drupal Core

CWE-668 — Resource Exposure7 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 37.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal

Timeline

PublishedFeb 11

Latest updateFeb 12

Description

Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5drupal/core8.8.x — 8.8.10+2

▶Packagistdrupal/core8.0.0 — 8.8.10+2

▶NVDdrupal/drupal8.8.0 — 8.8.10+2

▶Packagistdrupal/drupal8.0.0 — 8.8.10+2

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

GHSA

Exposure of Resource to Wrong Sphere in Drupal Core↗2022-02-12

▶

OSV

Exposure of Resource to Wrong Sphere in Drupal Core↗2022-02-12

▶

OSV

CVE-2020-13670: Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file↗2022-02-11

▶

CVEList

CVE-2020-13670: Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file↗2022-02-11

▶

OSV

CVE-2020-13670: A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not ha↗2020-09-16

▶

📋Vendor Advisories

Drupal

Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011↗2020-09-16

▶