CVE-2022-25275

7 documents5 sources
Severity
7.5HIGH
EPSS
0.4%
top 40.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Drupal CoreDrupal Drupal
Timeline
PublishedApr 26

Description

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5drupal/core9.49.4.3+2
Packagistdrupal/core7.0.07.91+2
NVDdrupal/drupal7.07.91+2

🔴Vulnerability Details

5
OSV
CVE-2022-25275: In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating2023-04-26
CVEList
CVE-2022-25275: In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating2023-04-26
OSV
Drupal core Information Disclosure vulnerability2022-08-06
GHSA
Drupal core Information Disclosure vulnerability2022-08-06
OSV
CVE-2022-25275: In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating2022-07-20

📋Vendor Advisories

1
Drupal
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-0122022-07-20
CVE-2022-25275 (HIGH CVSS 7.5) | In some situations | cvebase.io