Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-58f3-cx8p-h8jg

GitHub Security Advisory

Drupal core access bypass vulnerability

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

Affected Packages

Packagist drupal/core
Affected versions: 7.0 (fixed in 7.56)
Packagist drupal/core
Affected versions: 8.0 (fixed in 8.3.4)
Packagist drupal/drupal
Affected versions: 8.0 (fixed in 8.3.4)
Packagist drupal/drupal
Affected versions: 7.0 (fixed in 7.56)

Related CVEs

CVE-2017-6922

Key Information

GHSA ID
GHSA-58f3-cx8p-h8jg
Published
May 13, 2022 1:36 AM
Last Modified
April 23, 2024 10:30 PM
CVSS Score
5.0 /10
Primary Ecosystem
Packagist
Primary Package
drupal/core
GitHub Reviewed
✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.