Incorrect Permission Assignment for Critical Resource Affecting drupal7 package, versions *


Severity

Recommended
low

Based on Ubuntu security rating.

Threat Intelligence

EPSS
0.09% (40th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UBUNTU1404-DRUPAL7-404499
  • published1 Mar 2018
  • disclosed1 Mar 2018

Introduced: 1 Mar 2018

CVE-2017-6928  (opens in a new tab)
CWE-732  (opens in a new tab)

How to fix?

There is no fixed version for Ubuntu:14.04 drupal7.

NVD Description

Note: Versions mentioned in the description apply only to the upstream drupal7 package and not the drupal7 package as distributed by Ubuntu. See How to fix? for Ubuntu:14.04 relevant fixed versions and status.

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.