CVE-2017-6928

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-6928
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6928.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-6928
Aliases
Downstream
Published
2018-03-01T23:29:00.357Z
Modified
2026-04-10T04:00:45.827223Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type
GIT
Repo
https://github.com/drupal/drupal
Events
Introduced
497914920385b7016ac9c9367e0198530787adf2
Fixed
bc929eb17c4f4eea83cb796b7c5bbb984bf288bd
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
497914920385b7016ac9c9367e0198530787adf2
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
35c2f3ca5c935f3d8bde15932a712677c9bbd50f
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
d62812dc17ce593beb2ccd4cdbee1a76c95e3fd7
Database specific 
{
    "versions": [
        {
            "introduced": "7.0"
        },
        {
            "fixed": "7.57"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0"
        }
    ]
}

Affected versions

7.*
7.0
7.10
7.12
7.14
7.15
7.17
7.22
7.23
7.25
7.28
7.30
7.33
7.36
7.37
7.4
7.40
7.42
7.43
7.50
7.51
7.54
7.55
7.56
7.6
7.7
7.8
7.9
8.*
8.0-alpha10
8.0-alpha11
8.0-alpha12
8.0-alpha13
8.0-alpha2
8.0-alpha3
8.0-alpha4
8.0-alpha5
8.0-alpha6
8.0-alpha7
8.0-alpha8
8.0-alpha9
8.0.0
8.0.0-alpha14
8.0.0-alpha15
8.0.0-beta1
8.0.0-beta10
8.0.0-beta11
8.0.0-beta12
8.0.0-beta13
8.0.0-beta14
8.0.0-beta15
8.0.0-beta16
8.0.0-beta2
8.0.0-beta3
8.0.0-beta4
8.0.0-beta5
8.0.0-beta6
8.0.0-beta7
8.0.0-beta9
8.0.0-rc1
8.0.0-rc2
8.0.0-rc3
8.0.0-rc4
8.1.0-beta1
9.*
9.0.0
9.0.0-alpha1
9.0.0-alpha2
9.0.0-beta1
9.0.0-beta2
9.0.0-beta3
9.0.0-rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6928.json"