Bug 1548193 - drupal: Private file access bypass in Drupal private file system
Summary: drupal: Private file access bypass in Drupal private file system
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1548194 1548195
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-02-22 23:49 UTC by Laura Pardo
Modified: 2019-09-29 14:33 UTC (History)
5 users (show)

Fixed In Version: drupal 7.57
Clone Of:
Environment:
Last Closed: 2019-02-25 15:04:50 UTC
Embargoed:

Attachments (Terms of Use)

Description Laura Pardo 2018-02-22 23:49:48 UTC 
A flaw was found in Drupal 7. When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.


References:
https://www.drupal.org/sa-core-2018-001
Comment 1 Laura Pardo 2018-02-22 23:50:47 UTC 
Created drupal7 tracking bugs for this issue:

Affects: epel-all [bug 1548195]
Affects: fedora-all [bug 1548194]
Comment 2 Shawn Iwinski 2019-02-23 07:50:02 UTC 
All dependent bugs have been closed.  Can this tracking bug be closed as well?
Comment 3 Laura Pardo 2019-02-25 15:04:50 UTC 
In reply to comment #2:
> All dependent bugs have been closed.  Can this tracking bug be closed as
> well?

Yes. Closing
Comment 4 Fedora Update System 2019-03-12 21:47:45 UTC 
drupal6-6.38-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.