CVE-2023-31250

CWE-863 — Incorrect Authorization7 documents5 sources

Severity

6.5MEDIUM

EPSS

0.3%

top 50.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal Drupal

Timeline

PublishedApr 26

Description

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5drupal/core7.0 — 7.96+3

▶Packagistdrupal/core8.0.0 — 9.4.14+4

▶NVDdrupal/drupal7.0 — 7.96+3

🔴Vulnerability Details

OSV

CVE-2023-31250: The file download facility doesn't sufficiently sanitize file paths in certain situations↗2023-04-26

▶

OSV

Access bypass in Drupal core↗2023-04-26

▶

CVEList

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005↗2023-04-26

▶

GHSA

Access bypass in Drupal core↗2023-04-26

▶

OSV

CVE-2023-31250: The file download facility doesn't sufficiently sanitize file paths in certain situations↗2023-04-19

▶

📋Vendor Advisories

Drupal

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005↗2023-04-19

▶