Bug 863253 - (CVE-2012-1591) CVE-2012-1591 Drupal 7: Access bypass - private images
CVE-2012-1591 Drupal 7: Access bypass - private images
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120502,reported=2...
: Security
Depends On: 863256 956481 956483
Blocks: 863255
  Show dependency treegraph
 
Reported: 2012-10-04 16:06 EDT by Kurt Seifried
Modified: 2015-07-31 02:54 EDT (History)
6 users (show)

See Also:
Fixed In Version: drupal7-7.13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-25 11:12:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2012-10-04 16:06:19 EDT
The Drupal reports that Drupal 7.12 contains the following vulnerability: 

Access bypass - private images

CVE: CVE-2012-1591

Drupal core provides the ability to have private files, including images, and 
Image Styles which create derivative images from an original image that may 
differ, for example, in size or saturation. Drupal core failed to properly 
terminate the page request for cached image styles allowing users to access 
image derivatives for images they should not be able to view. Furthermore, 
Drupal didn't set the right headers to prevent image styles from being cached 
in the browser.

External reference:
http://drupal.org/node/1557938
Comment 2 Kurt Seifried 2013-04-25 01:20:53 EDT
Created drupal7 tracking bugs for this issue

Affects: fedora-all [bug 956481]
Comment 3 Kurt Seifried 2013-04-25 01:23:18 EDT
Created drupal7 tracking bugs for this issue

Affects: epel-all [bug 956483]

Note You need to log in before you can comment on or make changes to this bug.