DRUPAL-CONTRIB-2023-014

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/s3fs/DRUPAL-CONTRIB-2023-014.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-014

Published

2023-05-03T15:44:12Z

Modified

2025-12-10T23:30:33.903633Z

Summary

[none]

Details

S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service.

This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them.

This vulnerability is mitigated by the fact that another vulnerability must already exist outside of s3fs.

References

https://www.drupal.org/sa-contrib-2023-014

Credits

- Conrad Lara
- - https://www.drupal.org/user/1790054

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/s3fs

Package

Name: drupal/s3fs
Purl: pkg:composer/drupal/s3fs

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.2.0

Database specific

{
    "constraint": "<3.2.0"
}

Database specific

affected_versions

"<3.2.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/s3fs/DRUPAL-CONTRIB-2023-014.json"