CVE-2020-13670
published 2022-02-11CVE-2020-13670: Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.09%
61.2th percentile
Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 8.0.0 < 8.8.10 | 8.8.10 |
| drupal | core | >= 8.8.x < 8.8.10 | 8.8.10 |
| drupal | core | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | core | >= 8.9.x < 8.9.6 | 8.9.6 |
| drupal | core | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | core | >= 9.0.x < 9.0.6 | 9.0.6 |
| drupal | drupal | >= 8.0.0 < 8.8.10 | 8.8.10 |
| drupal | drupal | >= 8.8.0 < 8.8.10 | 8.8.10 |
| drupal | drupal | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | drupal | >= 8.9.0 < 8.9.6 | 8.9.6 |
| drupal | drupal | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | drupal | >= 9.0.0 < 9.0.6 | 9.0.6 |
| drupal | drupal_core | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Exposure of Resource to Wrong Sphere in Drupal Core
ghsa·2022-02-12
CVE-2020-13670 [HIGH] CWE-668 Exposure of Resource to Wrong Sphere in Drupal Core
Exposure of Resource to Wrong Sphere in Drupal Core
Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
OSV
Exposure of Resource to Wrong Sphere in Drupal Core
osv·2022-02-12
CVE-2020-13670 [HIGH] Exposure of Resource to Wrong Sphere in Drupal Core
Exposure of Resource to Wrong Sphere in Drupal Core
Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
OSV
CVE-2020-13670: Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file
osv·2022-02-11·CVSS 7.5
CVE-2020-13670 [HIGH] CVE-2020-13670: Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file
Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
OSV
CVE-2020-13670: A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not ha
osv·2020-09-16
CVE-2020-13670 CVE-2020-13670: A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not ha
A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.
Drupal
Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011
vendor_drupal·2020-09-16
CVE-2020-13670 [MEDIUM] Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011
Title: Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011
Vulnerability Type: Information disclosure
Description: A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.
Solution: Install the latest version: If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10 . If you are using Drupal 8.9.x, upgrade to Drupal 8.9.6 . If you are using Drupal 9.0.x, upgrade to Drupal 9.0.6 . Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.10.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-11
Published