Bug 1464005 (CVE-2017-6922)

Summary: CVE-2017-6922 drupal7: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anemec, gwync, jsmith.fedora, peter.borsa, shawn, stickster
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: drupal 7.56 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-19 09:30:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1464007, 1464008    
Bug Blocks:    

Description Andrej Nemec 2017-06-22 09:12:12 UTC 
Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

External References:

https://www.drupal.org/SA-CORE-2017-003
Comment 1 Andrej Nemec 2017-06-22 09:13:07 UTC 
Created drupal7 tracking bugs for this issue:

Affects: epel-all [bug 1464008]
Affects: fedora-all [bug 1464007]
Comment 2 Shawn Iwinski 2017-09-18 18:28:08 UTC 
All dependent bugs have been closed.  Can this bug be closed?
Comment 3 Andrej Nemec 2017-09-19 09:30:36 UTC 
(In reply to Shawn Iwinski from comment #2)
> All dependent bugs have been closed.  Can this bug be closed?

Closing, thanks!