Bug 863253 - (CVE-2012-1591) CVE-2012-1591 Drupal 7: Access bypass - private images
CVE-2012-1591 Drupal 7: Access bypass - private images
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 863256 956481 956483
Blocks: 863255
  Show dependency treegraph
Reported: 2012-10-04 16:06 EDT by Kurt Seifried
Modified: 2015-07-31 02:54 EDT (History)
6 users (show)

See Also:
Fixed In Version: drupal7-7.13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-04-25 11:12:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2012-10-04 16:06:19 EDT
The Drupal reports that Drupal 7.12 contains the following vulnerability: 

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and 
Image Styles which create derivative images from an original image that may 
differ, for example, in size or saturation. Drupal core failed to properly 
terminate the page request for cached image styles allowing users to access 
image derivatives for images they should not be able to view. Furthermore, 
Drupal didn't set the right headers to prevent image styles from being cached 
in the browser.

External reference:
Comment 2 Kurt Seifried 2013-04-25 01:20:53 EDT
Created drupal7 tracking bugs for this issue

Affects: fedora-all [bug 956481]
Comment 3 Kurt Seifried 2013-04-25 01:23:18 EDT
Created drupal7 tracking bugs for this issue

Affects: epel-all [bug 956483]

Note You need to log in before you can comment on or make changes to this bug.