Bug 1548193

Summary: drupal: Private file access bypass in Drupal private file system
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jsmith.fedora, lpardo, peter, shawn, stickster
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20180221,reported=20180221,source=cert,cvss3=5.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,cwe=CWE-284,fedora-all/drupal7=affected,epel-all/drupal7=affected
Fixed In Version: drupal 7.57 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-25 15:04:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1548194, 1548195    
Bug Blocks:    

Description Laura Pardo 2018-02-22 23:49:48 UTC
A flaw was found in Drupal 7. When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.


References:
https://www.drupal.org/sa-core-2018-001

Comment 1 Laura Pardo 2018-02-22 23:50:47 UTC
Created drupal7 tracking bugs for this issue:

Affects: epel-all [bug 1548195]
Affects: fedora-all [bug 1548194]

Comment 2 Shawn Iwinski 2019-02-23 07:50:02 UTC
All dependent bugs have been closed.  Can this tracking bug be closed as well?

Comment 3 Laura Pardo 2019-02-25 15:04:50 UTC
In reply to comment #2:
> All dependent bugs have been closed.  Can this tracking bug be closed as
> well?

Yes. Closing

Comment 4 Fedora Update System 2019-03-12 21:47:45 UTC
drupal6-6.38-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.