ID CVE-2017-6922
Summary In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.
References
Vulnerable Configurations
  • Drupal 7.0
    cpe:2.3:a:drupal:drupal:7.0
  • Drupal 7.0 alpha1
    cpe:2.3:a:drupal:drupal:7.0:alpha1
  • Drupal 7.0 alpha2
    cpe:2.3:a:drupal:drupal:7.0:alpha2
  • Drupal 7.0 alpha3
    cpe:2.3:a:drupal:drupal:7.0:alpha3
  • Drupal 7.0 alpha4
    cpe:2.3:a:drupal:drupal:7.0:alpha4
  • Drupal 7.0 alpha5
    cpe:2.3:a:drupal:drupal:7.0:alpha5
  • Drupal 7.0 alpha6
    cpe:2.3:a:drupal:drupal:7.0:alpha6
  • Drupal 7.0 alpha7
    cpe:2.3:a:drupal:drupal:7.0:alpha7
  • Drupal 7.0 Beta 1
    cpe:2.3:a:drupal:drupal:7.0:beta1
  • Drupal 7.0 Beta 2
    cpe:2.3:a:drupal:drupal:7.0:beta2
  • Drupal 7.0 Beta 3
    cpe:2.3:a:drupal:drupal:7.0:beta3
  • Drupal 7.0 dev
    cpe:2.3:a:drupal:drupal:7.0:dev
  • Drupal 7.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:7.0:rc1
  • Drupal 7.0 Release Candidate 2
    cpe:2.3:a:drupal:drupal:7.0:rc2
  • Drupal 7.0 Release Candidate 3
    cpe:2.3:a:drupal:drupal:7.0:rc3
  • Drupal 7.0 Release Candidate 4
    cpe:2.3:a:drupal:drupal:7.0:rc4
  • Drupal 7.1
    cpe:2.3:a:drupal:drupal:7.1
  • Drupal 7.2
    cpe:2.3:a:drupal:drupal:7.2
  • Drupal 7.3
    cpe:2.3:a:drupal:drupal:7.3
  • Drupal 7.4
    cpe:2.3:a:drupal:drupal:7.4
  • Drupal 7.5
    cpe:2.3:a:drupal:drupal:7.5
  • Drupal 7.6
    cpe:2.3:a:drupal:drupal:7.6
  • Drupal 7.7
    cpe:2.3:a:drupal:drupal:7.7
  • Drupal 7.8
    cpe:2.3:a:drupal:drupal:7.8
  • Drupal 7.9
    cpe:2.3:a:drupal:drupal:7.9
  • Drupal 7.10
    cpe:2.3:a:drupal:drupal:7.10
  • Drupal 7.11
    cpe:2.3:a:drupal:drupal:7.11
  • Drupal 7.12
    cpe:2.3:a:drupal:drupal:7.12
  • Drupal 7.13
    cpe:2.3:a:drupal:drupal:7.13
  • Drupal 7.14
    cpe:2.3:a:drupal:drupal:7.14
  • Drupal 7.15
    cpe:2.3:a:drupal:drupal:7.15
  • Drupal 7.16
    cpe:2.3:a:drupal:drupal:7.16
  • Drupal 7.17
    cpe:2.3:a:drupal:drupal:7.17
  • Drupal 7.18
    cpe:2.3:a:drupal:drupal:7.18
  • Drupal 7.19
    cpe:2.3:a:drupal:drupal:7.19
  • Drupal 7.20
    cpe:2.3:a:drupal:drupal:7.20
  • Drupal 7.21
    cpe:2.3:a:drupal:drupal:7.21
  • Drupal 7.22
    cpe:2.3:a:drupal:drupal:7.22
  • Drupal 7.23
    cpe:2.3:a:drupal:drupal:7.23
  • Drupal 7.24
    cpe:2.3:a:drupal:drupal:7.24
  • Drupal 7.25
    cpe:2.3:a:drupal:drupal:7.25
  • Drupal 7.26
    cpe:2.3:a:drupal:drupal:7.26
  • Drupal 7.27
    cpe:2.3:a:drupal:drupal:7.27
  • Drupal 7.28
    cpe:2.3:a:drupal:drupal:7.28
  • Drupal 7.29
    cpe:2.3:a:drupal:drupal:7.29
  • Drupal 7.30
    cpe:2.3:a:drupal:drupal:7.30
  • Drupal 7.31
    cpe:2.3:a:drupal:drupal:7.31
  • Drupal 7.32
    cpe:2.3:a:drupal:drupal:7.32
  • Drupal 7.33
    cpe:2.3:a:drupal:drupal:7.33
  • Drupal 7.34
    cpe:2.3:a:drupal:drupal:7.34
  • Drupal 7.35
    cpe:2.3:a:drupal:drupal:7.35
  • Drupal 7.36
    cpe:2.3:a:drupal:drupal:7.36
  • Drupal 7.37
    cpe:2.3:a:drupal:drupal:7.37
  • Drupal Drupal 7.38
    cpe:2.3:a:drupal:drupal:7.38
  • Drupal 7.40
    cpe:2.3:a:drupal:drupal:7.40
  • Drupal 7.41
    cpe:2.3:a:drupal:drupal:7.41
  • Drupal 7.42
    cpe:2.3:a:drupal:drupal:7.42
  • Drupal 7.43
    cpe:2.3:a:drupal:drupal:7.43
  • Drupal 7.44
    cpe:2.3:a:drupal:drupal:7.44
  • Drupal 7.50
    cpe:2.3:a:drupal:drupal:7.50
  • Drupal 7.51
    cpe:2.3:a:drupal:drupal:7.51
  • Drupal 7.52
    cpe:2.3:a:drupal:drupal:7.52
  • Drupal 7.53
    cpe:2.3:a:drupal:drupal:7.53
  • Drupal 7.54
    cpe:2.3:a:drupal:drupal:7.54
  • Drupal 7.55
    cpe:2.3:a:drupal:drupal:7.55
  • Drupal 8.0.0
    cpe:2.3:a:drupal:drupal:8.0.0
  • Drupal 8.0.0 Alpha 10
    cpe:2.3:a:drupal:drupal:8.0.0:alpha10
  • Drupal 8.0.0 Alpha 11
    cpe:2.3:a:drupal:drupal:8.0.0:alpha11
  • Drupal 8.0.0 Alpha 12
    cpe:2.3:a:drupal:drupal:8.0.0:alpha12
  • Drupal 8.0.0 Alpha 13
    cpe:2.3:a:drupal:drupal:8.0.0:alpha13
  • Drupal 8.0.0 Alpha 14
    cpe:2.3:a:drupal:drupal:8.0.0:alpha14
  • Drupal 8.0.0 Alpha 15
    cpe:2.3:a:drupal:drupal:8.0.0:alpha15
  • Drupal 8.0.0 Alpha 2
    cpe:2.3:a:drupal:drupal:8.0.0:alpha2
  • Drupal 8.0.0 Alpha 3
    cpe:2.3:a:drupal:drupal:8.0.0:alpha3
  • Drupal 8.0.0 Alpha 4
    cpe:2.3:a:drupal:drupal:8.0.0:alpha4
  • Drupal 8.0.0 Alpha 5
    cpe:2.3:a:drupal:drupal:8.0.0:alpha5
  • Drupal 8.0.0 Alpha 6
    cpe:2.3:a:drupal:drupal:8.0.0:alpha6
  • Drupal 8.0.0 Alpha 7
    cpe:2.3:a:drupal:drupal:8.0.0:alpha7
  • Drupal 8.0.0 Alpha 8
    cpe:2.3:a:drupal:drupal:8.0.0:alpha8
  • Drupal 8.0.0 Alpha 9
    cpe:2.3:a:drupal:drupal:8.0.0:alpha9
  • Drupal 8.0.0 Beta 1
    cpe:2.3:a:drupal:drupal:8.0.0:beta1
  • Drupal 8.0.0 Beta 10
    cpe:2.3:a:drupal:drupal:8.0.0:beta10
  • Drupal 8.0.0 Beta 11
    cpe:2.3:a:drupal:drupal:8.0.0:beta11
  • Drupal 8.0.0 Beta 12
    cpe:2.3:a:drupal:drupal:8.0.0:beta12
  • Drupal 8.0.0 Beta 13
    cpe:2.3:a:drupal:drupal:8.0.0:beta13
  • Drupal 8.0.0 Beta 14
    cpe:2.3:a:drupal:drupal:8.0.0:beta14
  • Drupal 8.0.0 Beta 15
    cpe:2.3:a:drupal:drupal:8.0.0:beta15
  • Drupal 8.0.0 Beta 16
    cpe:2.3:a:drupal:drupal:8.0.0:beta16
  • Drupal 8.0.0 Beta 2
    cpe:2.3:a:drupal:drupal:8.0.0:beta2
  • Drupal 8.0.0 Beta 3
    cpe:2.3:a:drupal:drupal:8.0.0:beta3
  • Drupal 8.0.0 Beta 4
    cpe:2.3:a:drupal:drupal:8.0.0:beta4
  • Drupal 8.0.0 Beta 6
    cpe:2.3:a:drupal:drupal:8.0.0:beta6
  • Drupal 8.0.0 Beta 7
    cpe:2.3:a:drupal:drupal:8.0.0:beta7
  • Drupal 8.0.0 Beta 9
    cpe:2.3:a:drupal:drupal:8.0.0:beta9
  • Drupal 8.0.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:8.0.0:rc1
  • Drupal 8.0.0 Release Candidate 2
    cpe:2.3:a:drupal:drupal:8.0.0:rc2
  • Drupal 8.0.0 Release Candidate 3
    cpe:2.3:a:drupal:drupal:8.0.0:rc3
  • Drupal 8.0.0 Release Candidate 4
    cpe:2.3:a:drupal:drupal:8.0.0:rc4
  • Drupal 8.0.1
    cpe:2.3:a:drupal:drupal:8.0.1
  • Drupal 8.0.2
    cpe:2.3:a:drupal:drupal:8.0.2
  • Drupal 8.0.3
    cpe:2.3:a:drupal:drupal:8.0.3
  • Drupal 8.0.4
    cpe:2.3:a:drupal:drupal:8.0.4
  • Drupal 8.0.5
    cpe:2.3:a:drupal:drupal:8.0.5
  • Drupal 8.0.6
    cpe:2.3:a:drupal:drupal:8.0.6
  • Drupal 8.1.0
    cpe:2.3:a:drupal:drupal:8.1.0
  • Drupal 8.1.0 Beta 1
    cpe:2.3:a:drupal:drupal:8.1.0:beta1
  • Drupal 8.1.0 Beta 2
    cpe:2.3:a:drupal:drupal:8.1.0:beta2
  • Drupal 8.1.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:8.1.0:rc1
  • Drupal 8.1.1
    cpe:2.3:a:drupal:drupal:8.1.1
  • Drupal 8.1.2
    cpe:2.3:a:drupal:drupal:8.1.2
  • Drupal 8.1.3
    cpe:2.3:a:drupal:drupal:8.1.3
  • Drupal 8.1.4
    cpe:2.3:a:drupal:drupal:8.1.4
  • Drupal 8.1.5
    cpe:2.3:a:drupal:drupal:8.1.5
  • Drupal 8.1.6
    cpe:2.3:a:drupal:drupal:8.1.6
  • Drupal 8.1.7
    cpe:2.3:a:drupal:drupal:8.1.7
  • Drupal 8.1.8
    cpe:2.3:a:drupal:drupal:8.1.8
  • Drupal 8.1.9
    cpe:2.3:a:drupal:drupal:8.1.9
  • Drupal 8.1.10
    cpe:2.3:a:drupal:drupal:8.1.10
  • Drupal 8.2.0
    cpe:2.3:a:drupal:drupal:8.2.0
  • Drupal 8.2.0 Beta 1
    cpe:2.3:a:drupal:drupal:8.2.0:beta1
  • Drupal 8.2.0 Beta 2
    cpe:2.3:a:drupal:drupal:8.2.0:beta2
  • Drupal 8.2.0 Beta 3
    cpe:2.3:a:drupal:drupal:8.2.0:beta3
  • Drupal 8.2.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:8.2.0:rc1
  • Drupal 8.2.0 Release Candidate 2
    cpe:2.3:a:drupal:drupal:8.2.0:rc2
  • Drupal 8.2.1
    cpe:2.3:a:drupal:drupal:8.2.1
  • Drupal 8.2.2
    cpe:2.3:a:drupal:drupal:8.2.2
  • Drupal 8.2.3
    cpe:2.3:a:drupal:drupal:8.2.3
  • Drupal 8.2.4
    cpe:2.3:a:drupal:drupal:8.2.4
  • Drupal 8.2.5
    cpe:2.3:a:drupal:drupal:8.2.5
  • Drupal 8.2.6
    cpe:2.3:a:drupal:drupal:8.2.6
  • Drupal 8.2.7
    cpe:2.3:a:drupal:drupal:8.2.7
  • Drupal 8.2.8
    cpe:2.3:a:drupal:drupal:8.2.8
  • Drupal 8.3.0
    cpe:2.3:a:drupal:drupal:8.3.0
  • Drupal 8.3.0 Alpha 1
    cpe:2.3:a:drupal:drupal:8.3.0:alpha1
  • Drupal 8.3.0 Beta 1
    cpe:2.3:a:drupal:drupal:8.3.0:beta1
  • Drupal 8.3.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:8.3.0:rc1
  • Drupal 8.3.0 Release Candidate 2
    cpe:2.3:a:drupal:drupal:8.3.0:rc2
  • Drupal 8.3.1
    cpe:2.3:a:drupal:drupal:8.3.1
  • Drupal 8.3.2
    cpe:2.3:a:drupal:drupal:8.3.2
  • Drupal 8.3.3
    cpe:2.3:a:drupal:drupal:8.3.3
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
CVSS
Base: 4.0
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3897.NASL
    description Two vulnerabilities were discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2015-7943 Samuel Mortenson and Pere Orga discovered that the overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability. More information can be found at https://www.drupal.org/SA-CORE-2015-004 - CVE-2017-6922 Greg Knaddison, Mori Sugimoto and iancawthorne discovered that files uploaded by anonymous users into a private file system can be accessed by other anonymous users leading to an access bypass vulnerability. More information can be found at https://www.drupal.org/SA-CORE-2017-003
    last seen 2019-02-21
    modified 2019-02-14
    plugin id 101034
    published 2017-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101034
    title Debian DSA-3897-1 : drupal7 - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-38113758E7.NASL
    description - [7.56](https://www.drupal.org/project/drupal/releases/7. 56) - [SA-CORE-2017-003](https://www.drupal.org/SA-CORE-2017-0 03) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-14
    plugin id 101212
    published 2017-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101212
    title Fedora 25 : drupal7 (2017-38113758e7)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4FC2DF49627911E7BE0F6CF0497DB129.NASL
    description Drupal Security Team Reports : CVE-2017-6920: PECL YAML parser unsafe object handling. CVE-2017-6921: File REST resource does not properly validate CVE-2017-6922: Files uploaded by anonymous users into a private file system can be accessed by other anonymous users.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 101276
    published 2017-07-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101276
    title FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (4fc2df49-6279-11e7-be0f-6cf0497db129)
  • NASL family CGI abuses
    NASL id DRUPAL_8_3_4.NASL
    description According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.56 or 8.x prior to 8.3.4. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the PECL YAML parser due to unsafe handling of PHP objects during certain operations. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-6920) - A flaw exists in the file REST resource due to improper validation of user-supplied input to multiple fields when manipulating files. An unauthenticated, remote attacker can exploit this to have an unspecified impact on integrity. Note that a site is only affected by this issue if it has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and the attacker can get or register a user account on the site with permissions to upload files and to modify the file resource. (CVE-2017-6921) - An information disclosure vulnerability exists due to a failure to ensure that private files that have been uploaded by an anonymous user but not permanently attached to content on the site are only visible to the anonymous user who uploaded them instead of all anonymous users. An unauthenticated, remote attacker can exploit this to disclose the files of other anonymous users. (CVE-2017-6922) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-12-07
    plugin id 101063
    published 2017-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101063
    title Drupal 7.x < 7.56 / 8.x < 8.3.4 Multiple Vulnerabilities (SA-CORE-2017-003)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-6874606E19.NASL
    description - [7.56](https://www.drupal.org/project/drupal/releases/7. 56) - [SA-CORE-2017-003](https://www.drupal.org/SA-CORE-2017-0 03) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-14
    plugin id 101649
    published 2017-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101649
    title Fedora 26 : drupal7 (2017-6874606e19)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1004.NASL
    description Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system. For Debian 7 'Wheezy', these problems have been fixed in version 7.14-2+deb7u16. We recommend that you upgrade your drupal7 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-14
    plugin id 101092
    published 2017-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101092
    title Debian DLA-1004-1 : drupal7 security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-E8A2017B3C.NASL
    description - [7.56](https://www.drupal.org/project/drupal/releases/7. 56) - [SA-CORE-2017-003](https://www.drupal.org/SA-CORE-2017-0 03) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-14
    plugin id 101216
    published 2017-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101216
    title Fedora 24 : drupal7 (2017-e8a2017b3c)
refmap via4
bid 99219
confirm https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple
debian DSA-3897
sectrack 1038781
Last major update 22-01-2019 - 10:29
Published 22-01-2019 - 10:29
Last modified 13-02-2019 - 11:35
Back to Top