GHSA-58xv-7h9r-mx3c

Source

https://github.com/advisories/GHSA-58xv-7h9r-mx3c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-58xv-7h9r-mx3c/GHSA-58xv-7h9r-mx3c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-58xv-7h9r-mx3c

Published

2024-05-15T20:55:22Z

Modified

2024-11-29T05:49:25.309822Z

Summary

Drupal Malicious file upload with filenames stating with dot

Details

Drupal 8 core's filesaveupload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.

After this fix, filesaveupload() now trims leading and trailing dots from filenames.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-434"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T20:55:22Z"
}

References

Affected packages

Packagist / drupal/drupal

Package

Name: drupal/drupal
Purl: pkg:composer/drupal/drupal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.7.11

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.1.0-beta1

8.1.0-beta2

8.1.0-rc1

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

8.1.7

8.1.8

8.1.9

8.1.10

8.2.0-beta1

8.2.0-beta2

8.2.0-beta3

8.2.0-rc1

8.2.0-rc2

8.2.0

8.2.1

8.2.2

8.2.3

8.2.4

8.2.5

8.2.6

8.2.7

8.2.8

8.3.0-alpha1

8.3.0-beta1

8.3.0-rc1

8.3.0-rc2

8.3.0

8.3.1

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6

8.3.7

8.3.8

8.3.9

8.4.0-alpha1

8.4.0-beta1

8.4.0-rc1

8.4.0-rc2

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.4.6

8.4.7

8.4.8

8.5.0-alpha1

8.5.0-beta1

8.5.0-rc1

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.6.0-alpha1

8.6.0-beta1

8.6.0-beta2

8.6.0-rc1

8.6.0

8.6.1

8.6.2

8.6.3

8.6.4

8.6.5

8.6.6

8.6.7

8.6.8

8.6.9

8.6.10

8.6.11

8.6.12

8.6.13

8.6.14

8.6.15

8.6.16

8.6.17

8.6.18

8.7.0-alpha1

8.7.0-alpha2

8.7.0-beta1

8.7.0-beta2

8.7.0-rc1

8.7.0

8.7.1

8.7.2

8.7.3

8.7.4

8.7.5

8.7.6

8.7.7

8.7.8

8.7.9

8.7.10

Packagist / drupal/drupal

Package

Name: drupal/drupal
Purl: pkg:composer/drupal/drupal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.8.0

Fixed

8.8.1

Affected versions

8.*

8.8.0