Bug 863253 (CVE-2012-1591) - CVE-2012-1591 Drupal 7: Access bypass - private images
Summary: CVE-2012-1591 Drupal 7: Access bypass - private images
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2012-1591
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 863256 956481 956483
Blocks: 863255
TreeView+ depends on / blocked
 
Reported: 2012-10-04 20:06 UTC by Kurt Seifried
Modified: 2019-09-29 12:55 UTC (History)
6 users (show)

Fixed In Version: drupal7-7.13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-25 15:12:21 UTC
Embargoed:

Attachments (Terms of Use)

Description Kurt Seifried 2012-10-04 20:06:19 UTC 
The Drupal reports that Drupal 7.12 contains the following vulnerability: 

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and 
Image Styles which create derivative images from an original image that may 
differ, for example, in size or saturation. Drupal core failed to properly 
terminate the page request for cached image styles allowing users to access 
image derivatives for images they should not be able to view. Furthermore, 
Drupal didn't set the right headers to prevent image styles from being cached 
in the browser.

External reference:
http://drupal.org/node/1557938
Comment 2 Kurt Seifried 2013-04-25 05:20:53 UTC 
Created drupal7 tracking bugs for this issue

Affects: fedora-all [bug 956481]
Comment 3 Kurt Seifried 2013-04-25 05:23:18 UTC 
Created drupal7 tracking bugs for this issue

Affects: epel-all [bug 956483]
Note You need to log in before you can comment on or make changes to this bug.