Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1548193 - drupal: Private file access bypass in Drupal private file system
Summary: drupal: Private file access bypass in Drupal private file system
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1548194 1548195
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-02-22 23:49 UTC by Laura Pardo
Modified: 2019-09-29 14:33 UTC (History)
5 users (show)

Fixed In Version: drupal 7.57
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-25 15:04:50 UTC
Embargoed:


Attachments (Terms of Use)

Description Laura Pardo 2018-02-22 23:49:48 UTC
A flaw was found in Drupal 7. When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.


References:
https://www.drupal.org/sa-core-2018-001

Comment 1 Laura Pardo 2018-02-22 23:50:47 UTC
Created drupal7 tracking bugs for this issue:

Affects: epel-all [bug 1548195]
Affects: fedora-all [bug 1548194]

Comment 2 Shawn Iwinski 2019-02-23 07:50:02 UTC
All dependent bugs have been closed.  Can this tracking bug be closed as well?

Comment 3 Laura Pardo 2019-02-25 15:04:50 UTC
In reply to comment #2:
> All dependent bugs have been closed.  Can this tracking bug be closed as
> well?

Yes. Closing

Comment 4 Fedora Update System 2019-03-12 21:47:45 UTC
drupal6-6.38-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.